Cyber Incident Victim: TAVR Media
Date:
Jul 2022
Location:
Ukraine
Summary
A cyberattack compromised a Ukrainian media group's servers and broadcasting systems, enabling hackers to disseminate false reports claiming the country's president was critically ill and hospitalized. The breach affected multiple major radio stations, with fabricated announcements suggesting parliamentary leadership had assumed temporary control. The targeted organization and government agencies promptly refuted the claims, emphasizing the president's good health through official statements and a verified video address. The incident coincided with broader disinformation efforts involving manipulated media, including an earlier deepfake video falsely depicting the president urging military surrender. Authorities attributed these coordinated campaigns to Russian-aligned threat actors exploiting compromised infrastructure to undermine public confidence during ongoing conflict.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On July 20, 2022, Ukrainian media group TAVR Media suffered a cyberattack compromising its servers and broadcasting systems, enabling threat actors to disseminate fabricated news across its network of nine major radio stations, including Hit FM, Radio ROKS, KISS FM, Radio RELAX, Melody FM, Nashe Radio, Radio JAZZ, Classic Radio, and Radio Bayraktar. The attackers manipulated broadcast infrastructure to falsely announce that Ukrainian President Volodymyr Zelenskiy was in critical condition and under intensive care, with Parliament Chairman Ruslan Stefanchuk allegedly assuming presidential duties. TAVR Media confirmed the breach in an official statement on July 22, explicitly denying the validity of the health claims about Zelenskiy. The State Service of Special Communications and Information Protection of Ukraine (SSCIP) corroborated the incident, attributing the disruption to unauthorized access to media servers. President Zelenskiy directly countered the false reports through a video posted to his Instagram account, appearing in his office to affirm his well-being and dismissing the narrative as Russian-orchestrated disinformation. He emphasized the unity of Ukrainians against such tactics, stating, "I have never felt as good as now," while mocking the attackers' reliance on fabricated narratives targeting his leadership.
The radio network breach coincided with broader disinformation efforts involving deepfake technology. Earlier in the week, on July 20, a separate cyber intrusion compromised the website of Ukraine 24, where attackers uploaded a poorly generated deepfake video falsely depicting Zelenskiy urging Ukrainian troops to surrender. This altered footage circulated across additional compromised Ukrainian news platforms before being removed by Facebook for violating misinformation policies. Zelenskiy responded by releasing another authentic video refuting the deepfake’s claims and reversing its message, demanding Russian forces lay down their weapons and leave Ukraine. The Ukrainian Stratcom Centre had previously warned in March 2022 about Russia’s potential use of sophisticated deepfakes to undermine public trust, though the Zelenskiy surrender video exhibited noticeable technical flaws. These parallel incidents—the radio broadcast manipulation and the deepfake video distribution—demonstrated a coordinated strategy to erode confidence in Ukrainian leadership during active conflict. Official responses included technical containment by TAVR Media and SSCIP, public rebuttals by Zelenskiy, and platform-level content moderation by social media entities to limit the reach of falsified material.