Cyber Incident Victim: Defence ministry and other institutions in Ukraine
Date:
Feb 2022
Location:
Ukraine
Summary
Ukrainian military agencies and state-owned banks experienced disruptive DDoS attacks, causing website outages and preventing access to online banking services. The incidents led to widespread service interruptions, including payment processing failures, mobile app malfunctions, and erroneous balance displays for customers. False text messages circulated claiming ATM outages as part of an information attack. Defensive measures included geofencing rules to block foreign IP traffic. Authorities attributed the coordinated cyber operations to hybrid warfare tactics aimed at undermining public confidence, with prior intelligence linking similar activities to threat actors associated with hostile foreign security services.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 3 motives | 6 techniques |
| Threat Actors | Type | Location |
|---|---|---|
| 5 actors | Available to members | Available to members |
Description
On February 15, 2022, multiple Ukrainian government and financial institutions experienced coordinated Distributed Denial-of-Service (DDoS) attacks. The Ministry of Defense and the Armed Forces of Ukraine reported excessive requests per second overwhelming their systems, leading to the defense ministry's website being taken offline. Concurrently, Ukraine's two largest state-owned banks, Privatbank and Oschadbank, faced service disruptions affecting online banking access. Customers could not log into accounts, experienced payment processing failures, encountered mobile app malfunctions, and saw incorrect balance or transaction displays. Ukraine's State Service for Special Communication and Information Protection confirmed these as part of a "powerful DDOS attack" targeting national information resources starting that afternoon. Privatbank implemented a web application firewall rule geofencing non-Ukrainian IP addresses, displaying a "BUSTED! PRIVATBANK WAF is watching you" message while restricting foreign access to site contents.
The Security Service of Ukraine (SSU) characterized these events as components of an ongoing "massive wave of hybrid warfare" intended to induce public anxiety and erode confidence in state institutions. Cyberpolice addressed coordinated SMS disinformation campaigns falsely claiming ATM outages, clarifying these messages constituted an information attack. SSU reported prior neutralization of related threats, including dismantled bot farms distributing bomb threats and panic-inducing fake news attributed to hostile intelligence agencies. Ukraine's Computer Emergency Response Team (CERT-UA) linked the activity to Gamaredon, a hacking group associated by Ukrainian authorities with Russia's Federal Security Service (FSB). Microsoft had previously documented Gamaredon's persistent spear-phishing campaigns against Ukrainian entities since October 2021. While Oschadbank and Privatbank maintained partial website accessibility during the attacks, core banking functions remained impaired for users, with defense sector websites suffering prolonged outages due to volumetric traffic attacks.