Cyber Incident Victim: Central Election Commission of Ukraine
Date:
Jan 2019
Location:
Ukraine
Summary
Hackers suspected of Russian affiliation intensified cyber operations targeting Ukraine's electoral infrastructure and personnel computers ahead of presidential elections, employing phishing campaigns disguised as greeting cards, software updates, and shopping invitations to steal credentials. Attackers additionally purchased election officials' personal data via cryptocurrency on the dark web, utilizing wallets linked to prior campaigns against critical energy, transport, and financial systems. While no electoral system breaches were confirmed, authorities anticipated escalated attacks closer to voting periods, focusing on regional commission offices and critical infrastructure vulnerabilities. The activity mirrored historical cyber assaults, including the NotPetya malware incident, amid ongoing accusations of state-sponsored interference denied by Russia.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 2 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
In early 2019, approximately ten weeks before Ukraine’s March presidential election, Ukrainian cyber police reported intensified cyber operations targeting electoral infrastructure and personnel. According to Serhiy Demedyuk, head of Ukraine’s cyber police, attackers employed phishing campaigns distributing malware through deceptive emails posing as New Year’s greetings, shopping invitations, software updates, and official government communications. These emails aimed to compromise election officials’ personal computers, steal credentials, and harvest sensitive information. Concurrently, hackers purchased personal details of election commission staff—particularly those maintaining electoral equipment—on dark web markets using cryptocurrency transactions. Demedyuk attributed these activities to Russian-controlled hacker organizations, citing forensic links between cryptocurrency wallets used in these purchases and those financing prior cyberattacks against Ukrainian energy, transport, and financial systems dating back to 2014. The tactics mirrored methods observed during the 2017 NotPetya global malware outbreak, which originated in Ukraine and caused widespread disruption to international businesses and critical infrastructure. Ukrainian authorities noted no successful intrusions into core electoral systems at this stage but described the volume of phishing attempts as “overwhelming,” with attackers targeting both officials and their relatives to establish unauthorized access to devices.
The incident occurred amid heightened geopolitical tensions following Russia’s 2014 annexation of Crimea and Ukraine’s imposition of martial law in November 2018 after a naval confrontation in the Kerch Strait. Ukrainian President Petro Poroshenko publicly warned that Russia had developed an extensive toolkit for election interference, a claim supported by cyber police observations of escalating preparatory activities. Authorities anticipated more severe cyberattacks approximately one month before the election, coinciding with the activation of regional election commission offices. Concerns extended beyond electoral systems to critical national infrastructure, with cyber police warning that malware deployed via phishing could create backdoors in energy and banking networks for future coordinated attacks. While defensive measures were not detailed in public statements, monitoring of dark web transactions and phishing campaigns formed part of the response. The Kremlin consistently denied involvement, with spokesperson Dmitry Peskov stating Russian agencies do not interfere in other nations’ internal affairs. Ukrainian officials maintained that the operational patterns and financial linkages indicated continuity with previous Russian-sponsored cyber campaigns targeting the state.