Cyber Incident Victim: Government of Ukraine
Date:
Feb 2021
Location:
Ukraine
Summary
Ukrainian government websites, particularly in defense and security sectors, experienced massive DDoS attacks originating from Russian networks, compromising vulnerable servers with malware that covertly enlisted them into a botnet for further attacks on domestic targets. The incident disrupted site accessibility and risked prolonged blacklisting by internet providers' security systems even after attacks subsided. The malware's deployment enabled attackers to weaponize infected servers against other national resources, amplifying the operational impact beyond initial service denials.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 3 motives | 2 techniques |
| Threat Actors | Type | Location |
|---|---|---|
| 2 actors | Available to members | Available to members |
Description
On February 18, 2021, Ukraine experienced distributed denial-of-service (DDoS) attacks targeting government websites, particularly within the defense and security sectors. The National Security and Defense Council of Ukraine (NSDC) attributed these attacks to threat actors operating from Russian networks, though it did not explicitly accuse the Russian government. The National Coordination Center for Cybersecurity (NCCC), operating under the NSDC, characterized the attacks as massive in scale and confirmed the attackers' IP addresses were geolocated to Russia. Investigations revealed a novel malware strain deployed on vulnerable Ukrainian government web servers, which covertly incorporated compromised devices into a botnet controlled by the attackers. This botnet was then repurposed to launch additional DDoS attacks against other Ukrainian online resources, amplifying the disruption. The NSDC emphasized that infected servers were weaponized to target additional domestic infrastructure, creating a cascading effect. Concurrently, the NCCC warned that internet service providers' security systems might erroneously blacklist victimized websites even after DDoS activity ceased, prolonging accessibility issues beyond the immediate attack window.
The cyberattacks occurred amid heightened tensions following Ukraine’s law enforcement actions against cybercriminals. Days prior to the DDoS campaign, Ukrainian authorities, collaborating with US and French police, arrested individuals allegedly linked to the Egregor ransomware operation. The Security Service of Ukraine (SBU) publicly announced these arrests on February 19. On February 20, the SBU’s official website became inaccessible due to a DDoS attack, with multiple security researchers suggesting the incident represented retaliation for the Egregor arrests. The NSDC did not formally confirm this motivation but documented the temporal proximity between the arrests and the cyberattacks. The malware’s deployment enabled persistent attacker control over compromised government infrastructure, facilitating sustained disruption. While the immediate operational impact centered on website availability, the incident underscored systemic vulnerabilities in Ukrainian government networks, particularly the exploitation of unsecured servers to propagate attacks. The NCCC’s public advisories highlighted concerns about collateral filtering by ISPs, indicating secondary operational consequences beyond direct attacker actions.