Cyber Incident Victim: Ministry of Defence of Ukraine
Date:
Jan 2022
Location:
Ukraine
Summary
Multiple Ukrainian government websites, including the Ministry of Security and Defense, were compromised and defaced through exploitation of a critical vulnerability in an outdated content management system, leading to false claims of data breaches. Attackers posted multilingual messages alleging citizen data theft, though authorities confirmed no personal information was compromised and attributed the incident to a known authentication flaw. The defacements, displaying grammatical inconsistencies, occurred amid heightened regional tensions, with researchers suspecting involvement by a Belarus-linked threat group. Concurrently, Polish military databases were breached in a potentially related campaign, while Ukrainian cyber-police addressed a separate ransomware operation but did not publicly attribute the website attacks. Restoration efforts were ongoing as officials investigated the incidents.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On January 14, 2022, multiple Ukrainian government websites were compromised and defaced, including those of the Ministry of Foreign Affairs, Ministry of Agriculture, Ministry of Education and Science, Ministry of Security and Defense, and the Cabinet of Ministers' online portal. At least 15 public institution sites were affected, with attackers replacing content with messages in Ukrainian, Russian, and Polish falsely claiming that all citizen data uploaded to Ukraine's public networks had been compromised. The defacement prompted Ukrainian authorities to take the targeted websites offline while IT specialists worked to restore services, with some remaining inaccessible during recovery operations. Ukrainian cyber-police swiftly investigated and publicly confirmed that no actual compromise of personal data had occurred, clarifying that the warnings constituted disinformation designed to cause public alarm. Initial forensic analysis revealed the attackers exploited CVE-2021-32648, a critical authentication bypass vulnerability in outdated versions of October CMS that enabled unauthorized password resets and system access.
The incident's scope extended beyond Ukraine when Poland's Ministry of National Defense reported potential compromise of its military databases, suggesting possible connections to the same campaign. Linguistic analysis of the defacement messages noted grammatical inconsistencies indicative of machine translation tools like Yandex Translator, fueling suspicions of Russian involvement though no definitive attribution was established. Ukrainian investigators publicly referenced the GhostWriter advanced persistent threat group—historically associated with Belarusian interests—as potential suspects while emphasizing that forensic work remained ongoing. Concurrently, Ukrainian law enforcement arrested members of a ransomware operation in an unrelated case, underscoring the broader cybersecurity challenges facing the nation amid escalating tensions with Russia. Restoration efforts prioritized bringing critical government portals back online while authorities maintained public assurances regarding data integrity throughout the remediation process.