Cyber Incident Victim: Government of Ukraine

On March 16, 2022, Facebook removed a deepfake video depicting Ukrainian President Volodymyr Zelenskyy falsely urging Ukrainian troops to surrender. The video initially appeared on the compromised website of Ukraine 24 following a breach on March 15-16, subsequently spreading to other hacked news platforms like Segodnya before proliferating across social media. Meta’s security team identified and removed the content for violating manipulated media policies, notifying other platforms to limit its dissemination. President Zelenskyy responded with a video message refuting the deepfake, redirecting surrender appeals toward Russian forces instead. The Ukrainian Stratcom Centre had warned two weeks prior about anticipated Russian deepfake campaigns designed to sow panic, erode public trust, and demoralize troops. This incident coincided with Facebook’s takedown of accounts linked to the Belarusian-aligned Ghostwriter group, which had targeted Ukrainian officials with phishing campaigns to spread fabricated videos of surrendering soldiers. Concurrently, Ukraine’s CERT-UA documented spear-phishing attacks against military personnel’s private email accounts, aligning with broader warnings from the Security Service of Ukraine (SSU) about hybrid warfare tactics preceding Russia’s invasion.

Microsoft’s April 2022 special report contextualized this deepfake within Russia’s sustained cyber campaign, noting destructive attacks and espionage operations by at least six Russian APT groups. During Week 3 of the invasion (March 10-16), suspected Russian actors escalated intrusions against critical infrastructure and information systems. IRIDIUM (GRU-linked) deployed FoxBlade, DesertBlade, and SonicVote malware for data destruction, while other groups like BROMINE exfiltrated data from a nuclear safety organization compromised since December 2021. These cyber operations paralleled kinetic strikes, including Russia’s March 11 missile attacks on Dnipro government buildings and March 16 rocket strikes on Vinnytsia’s TV tower—a pattern suggesting coordinated efforts to disrupt governance, public information access, and civilian morale. Microsoft observed 237 Russian cyber operations against Ukraine from December 2021 through April 2022, with 40 destructive incidents targeting energy, IT, media, and government sectors. The March 10-16 period also saw phishing campaigns by STRONTIUM and DEV-0257 (Ghostwriter) against military and regional government accounts, alongside IRIDIUM’s intrusion into an agricultural firm—likely targeting Ukraine’s grain export economy. Ukrainian defenders, aided by Microsoft’s Threat Intelligence Center (MSTIC), implemented countermeasures like Controlled Folder Access to mitigate wiper malware impacts, while authorities dismantled bot farms spreading Russian disinformation. The deepfake incident exemplified Russia’s broader information warfare strategy, defined by its military doctrine as undermining political and social systems through psychological manipulation and critical infrastructure degradation.