Cyber Incident Victim: Numerous Ukraine sites, including the Ministry of Foreign Affairs, Ministry of Internal Affairs
Date:
Feb 2022
Location:
Ukraine
Summary
Cyberattacks targeted Ukrainian government entities, including the Ministries of Foreign Affairs and Internal Affairs, involving distributed denial-of-service (DDoS) disruptions and phishing campaigns by state-linked threat groups. Russian-associated FancyBear focused on a Ukrainian media company, while Belarus-aligned Ghostwriter attacked Polish and Ukrainian military and government accounts, alongside webmail users. Google's Threat Analysis Group reported blocking Ghostwriter's phishing domains and expanded Project Shield protections to mitigate DDoS attacks, safeguarding over 150 Ukrainian websites, including critical government services and news organizations. Chinese group Mustang Panda also shifted operations to target European entities with malicious payloads during this period.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 2 actors | Available to members | Available to members |
Description
In the weeks following Russia's military invasion of Ukraine beginning February 24, 2022, Google's Threat Analysis Group (TAG) observed a significant escalation in cyber operations targeting Ukrainian entities. State-backed threat actors conducted coordinated campaigns, including phishing and distributed denial-of-service (DDoS) attacks. FancyBear, a group attributed to Russian military intelligence (GRU), executed phishing campaigns against UkrNet, a major Ukrainian media company. Concurrently, Ghostwriter—a group previously linked by Ukrainian officials to Belarus's Ministry of Defence—targeted Polish and Ukrainian government and military personnel, along with users of UkrNet webmail and Yandex email services. Separately, the Chinese-affiliated Mustang Panda group shifted its focus from Southeast Asian targets to European entities, distributing malicious attachments containing downloaders designed to retrieve payloads. DDoS attacks disrupted multiple Ukrainian government websites, including the Ministry of Foreign Affairs and Ministry of Internal Affairs, threatening critical information access during the conflict.
Google responded by activating defensive measures, including blocking Ghostwriter's phishing domains through its Safe Browsing service. It expanded eligibility for Project Shield, a free anti-DDoS protection service, to safeguard Ukrainian government sites, embassies, and neighboring governments' digital assets. This initiative enabled over 150 Ukrainian websites—particularly news organizations and government portals—to maintain online availability amid sustained attacks. TAG also issued hundreds of government-backed hacking warnings to Ukrainian users over the preceding year, with heightened alerts during the invasion period. These actions aimed to preserve access to essential services and public information while mitigating disruptions caused by the multi-faceted offensive campaigns.