Cyber Incident Victim: Armed Forces of Ukraine
Date:
Feb 2022
Location:
Ukraine
Summary
Ukrainian military agencies and state-owned banks experienced significant disruptions due to distributed denial-of-service (DDoS) attacks, causing website outages and preventing access to online banking services. The incidents led to login failures, payment processing issues, mobile application malfunctions, and erroneous transaction displays for customers, while coordinated text messages falsely claimed ATM outages to amplify confusion. Authorities attributed the attacks to a hybrid warfare campaign aimed at undermining public confidence, linking the activity to the Gamaredon threat group associated with Russian intelligence services. Defensive measures included geofencing bank web traffic and dismantling bot farms spreading disinformation.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 3 motives | 6 techniques |
| Threat Actors | Type | Location |
|---|---|---|
| 7 actors | Available to members | Available to members |
Description
On February 15, 2022, Ukrainian military agencies and state-owned financial institutions experienced coordinated cyberattacks. The Ministry of Defense and the Armed Forces of Ukraine suffered Distributed Denial-of-Service (DDoS) attacks that overwhelmed their websites with excessive requests per second, forcing the Ministry of Defense’s site offline. Simultaneously, Privatbank (Ukraine’s largest bank) and Oschadbank (State Savings Bank) faced service disruptions affecting online banking access, payment processing, and mobile applications. Customers reported inability to log into Privat24 internet banking accounts, incorrect balance displays, and transaction discrepancies. Ukraine’s State Service for Special Communication and Information Protection confirmed these as components of a “powerful DDOS attack” targeting national information resources starting that afternoon. Concurrently, bank customers received fraudulent SMS messages falsely claiming ATM outages, which Ukraine’s Cyberpolice identified as part of a disinformation campaign designed to amplify public anxiety. Privatbank implemented immediate countermeasures by updating its web application firewall with geofencing rules, blocking non-Ukrainian IP addresses and displaying a “BUSTED! PRIVATBANK WAF is watching you” message to foreign traffic.
The incident occurred amid heightened warnings from Ukrainian security agencies about coordinated hybrid warfare operations. One day prior, the Security Service of Ukraine (SSU) disclosed ongoing efforts to counteract hostile intelligence operations involving bot farms disseminating fake bomb threats and false narratives to erode public confidence. Ukraine’s Computer Emergency Response Team (CERT-UA) had previously attributed similar cyber activities to the Gamaredon threat group, which Ukrainian intelligence services linked to Russia’s Federal Security Service (FSB). Microsoft corroborated this attribution in February 2022, reporting Gamaredon’s persistent spear-phishing campaigns against Ukrainian entities since October 2021. While Oschadbank and Privatbank maintained website accessibility during the DDoS attacks, functional limitations persisted for online banking services. The Ukrainian Center for Strategic Communications documented widespread user complaints regarding transactional failures and application instability, reflecting the attack’s operational impact on civilian financial activities. Ukrainian authorities characterized these events as elements of a broader strategy combining cyber disruption with psychological operations.