Cyber Incident Victim: State Border Guard Service of Ukraine
Date:
Feb 2022
Location:
Ukraine
Summary
A Ukraine border control station experienced a destructive wiper cyberattack, disrupting computer systems and severely slowing refugee processing at the Siret crossing into Romania. The malware, identified as similar to the "HermeticWiper" previously deployed against government ministries and critical infrastructure, forced authorities to rely on manual documentation methods, exacerbating delays for fleeing civilians already facing mandatory male conscription verification. The attack exclusively impacted Ukrainian border systems, leaving Romanian stations operational, but created multi-day waits for evacuees. A cybersecurity expert present at the border confirmed the malware's role in paralyzing digital operations and attempted to secure a sample for analysis by European Union response teams. The incident highlighted the immediate real-world consequences of cyber warfare on civilian evacuations during conflict.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On February 26, 2022, a data-wiping cyberattack targeted Ukrainian border control systems at the Siret crossing into Romania, significantly disrupting refugee processing operations. The attack occurred around 6:00 AM Ukraine time, as reported by cybersecurity expert Chris Kubecka, who witnessed the aftermath while evacuating from Ukraine. Ukrainian border agents confirmed the malware matched the "HermeticWiper" strain previously deployed against Ukrainian defense, financial, aviation, and IT infrastructure days before Russia's invasion. The wiper malware rendered computer systems inoperable, forcing border personnel to process documentation manually using pencil and paper. This degradation caused extensive delays, with refugees waiting up to 28 hours to cross – Kubecka's own busload required a full day's wait before clearance. The attack exclusively affected Ukrainian border infrastructure, leaving Romanian systems operational.
The operational paralysis hindered Ukraine's enforcement of mandatory military service requirements for males aged 18-60 attempting to leave the country. Border guards explicitly cited the cyberattack as the primary obstacle, stating they "cannot process anything" digitally. Kubecka, leveraging her cybersecurity background from prior incidents like the 2012 Saudi Aramco breach, engaged Ukrainian authorities to gather technical details. She attempted to secure a malware sample for analysis by CERT-EU and other European Union entities, though logistical challenges delayed physical transfer from the border zone. The incident occurred amidst mass displacement, with over 368,000 refugees having fled Ukraine within the first four days of the invasion. Ukrainian cybersecurity agencies, including the State Border Guard Service and Security Service, had not publicly confirmed system restoration timelines when last documented.