Russia-linked cyberattacks on Ukraine: A timeline

Today is Ukraine Independence day. It’s also the six-month anniversary of the official launch of Russia’s invasion into Ukraine, with no clear end to the aggression in sight. Despite the widespread fears of cyber war at the outset of the invasion, no highly damaging incidents such as crippling attacks on Ukraine’s power grid have yet occurred.

As our updated timeline shows, however, the invasion did begin on February 24 with a disturbing assault on Ukraine’s communications capabilities via an attack on satellite provider Viasat, attributed to Russia’s GRU intelligence arm. Since then, a spate of digital disruptions by Russia, and digital defenses by Ukraine and its allies, point to a steady drumbeat of mostly low-level but steady and robust cyber assaults.

Once the kinetic war against Ukraine ends, an accurate picture of cyber damage in Ukraine and surrounding areas will no doubt emerge. Victor Zhora, the deputy head of Ukraine’s State Service of Special Communications and Information Protection (SSCIP), has already declared Russia to be the perpetrator of “cyber war crimes” and is calling for prosecutions in the International Criminal Court (ICC).

[Editor’s note: This article, originally published on January 19, 2022, has been updated to reflect recent events.]

Timeline on Russia-linked cyber incidents

The following is a chronological timeline of this year’s developments related to the cyberattacks in Ukraine:

January 11:  U.S. releases cybersecurity advisory

The Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the National Security Agency (NSA) released a joint Cybersecurity Advisory (CSA) providing an overview of Russian state-sponsored cyber operations including commonly observed tactics, techniques, and procedures. The advisory also provided detection actions, incident response guidance, and mitigations.

CISA also recommended that network defenders review CISA’s Russia Cyber Threat Overview and Advisories page for more information on Russian state-sponsored malicious cyber activity. The agencies seemingly released the CSA as part of an occasional series of joint cybersecurity advisories.

January 13 to 14: Ukrainian websites defaced

Following a breakdown of diplomatic talks between Russia and the West intended to forestall a threatened Russian invasion of Ukraine, hackers launched defacement attacks that brought down dozens of Ukrainian government websites, including the Ministry of Foreign Affairs, the Ministry of Education, and others. The hackers posted a message that said, “Be afraid and expect the worst.”

The message also warned Ukrainians, “All your personal data has been sent to a public network. All data on your computer is destroyed and cannot be recovered,” and raised historical grievances between Poland and Ukraine. Ukraine’s State Bureau of Investigations (SBI) press service said that no data were stolen in the attack.

Although Ukraine did not attribute the attacks to Russia definitively, the European Union’s chief diplomat Josep Borrell hinted that Russia was the culprit. Serhiy Demedyuk, deputy secretary of Ukraine’s national security and defense council, preliminarily pinned the attacks on a hacker group linked to Belarusian intelligence known as UNC1151. Belarus is a close ally of Russia.

The European Union condemned the attacks and said it stands “ready to provide additional, direct, technical assistance to Ukraine to remediate this attack and further support Ukraine against any destabilizing actions, including by further building up its resilience against hybrid and cyber threats.” NATO Secretary-General Jens Stoltenberg said that his cyber experts in Brussels were exchanging information with their Ukrainian counterparts on the malicious cyber activities and would sign an agreement on enhanced cyber cooperation.

January 14: Russia takes down REvil ransomware group

In what seemingly appeared to be a surprise demonstration of U.S.-Russian collaboration, Russia’s FSB domestic intelligence service said that it dismantled ransomware crime group REvil at the request of the United States in an operation that resulted in the arrest of the group’s members. The announcement was made even as the attacks on the Ukraine websites were underway.

A senior administration official stopped short of confirming that the arrests were made at the administration’s request. Instead, the official said they were the product of the “President’s commitment to diplomacy and the channel that he established and the work that has been underway in sharing information and discussing the need for Russia to take action.”

January 15: Microsoft reveals the discovery of malware on Ukrainian websites

Microsoft observed destructive malware disguised as ransomware in systems belonging to dozens of Ukrainian government agencies and organizations that work closely with the Ukrainian government. Microsoft didn’t specify which agencies and organizations were targeted but said they “provide critical executive branch or emergency response functions,” as well as an IT firm that manages websites for public and private sector clients, including government agencies whose websites were recently defaced.

If activated by the attacker, the wiper malware would render the infected computer system inoperable. Microsoft’s Threat Intelligence Center (MSTIC) issued a technical post outlining the malware, saying that while designed to look like ransomware, it lacked a ransom recovery mechanism, was intended to be destructive, and was built to render targeted devices inoperable rather than to obtain a ransom.

MSTIC found no notable associations between the observed activity, tracked as DEV-0586, and other known activity groups. Microsoft has implemented protections to detect this malware family, known as WhisperGate, via Microsoft Defender Antivirus and Microsoft Defender for Endpoint.

January 16: Ukraine blames Russia for attack on Ukrainian websites

Ukraine’s Ministry of Digital Transformation said that all the evidence pointed to the fact that Russia is behind the defacement attacks on Ukraine’s government websites. “The latest cyberattack is one of the manifestations of Russia’s hybrid war against Ukraine, which has been going on since 2014,” the ministry said.

January 18: Data wiped at Ukrainian government agencies

According to the Ukrainian government and other individuals familiar with the incident, several Ukrainian government agencies had their data wiped in a cyberattack coordinated with defacement attacks against government agency websites. The Ukrainian government said that it believed Russia was responsible.

January 23: DHS issues bulletin for critical infrastructure operators

The U.S. Department of Homeland Security (DHS) sent an intelligence bulletin to critical infrastructure operators and state and local governments warning that Russia would consider conducting a cyberattack on the U.S. homeland if Moscow perceived that a U.S. or NATO response to a potential Russian invasion of Ukraine “threatened [Russia’s] long-term national security.”

February 14: Critical infrastructure in Odesa compromised

In its first special report on cyber activity in Ukraine, published on April 27, Microsoft said that Odesa-based critical infrastructure was compromised by likely Russian actors.

February 15: Ukraine’s defense ministry hit by DDoS attack

Ukraine’s State Service of Special Communications and Information Protection of Ukraine (SSSCIP) confirmed that a distributed denial of service (DDoS) attack hit the websites of Ukraine’s defense ministry and armed forces and the websites of two Ukrainian banks.

February 15: Declassified intelligence reveals Russian presence in critical Ukrainian networks

Newly declassified intelligence showed that Russian government hackers likely penetrated Ukrainian military, energy, and other critical computer networks to collect intelligence and position themselves potentially to disrupt those systems should Russia launch a military assault on Ukraine.

February 16: U.S. agencies issue joint Cybersecurity Advisory

CISA, the FBI, and the NSA issued a joint Cybersecurity Advisory titled, “Russian State-Sponsored Cyber Actors Target Cleared Defense Contractor Networks to Obtain Sensitive U.S. Defense Information and Technology.” CISA said compromised entities have included cleared defense contractors (CDCs) supporting the U.S. Army, U.S. Air Force, U.S. Navy, U.S. Space Force, and Intelligence Community programs over the last two years.

February 17: Russian actors found present on critical infrastructure in Sumy.

In its first special report on cyber activity in Ukraine, published on April 27, Microsoft said that suspected Russian actors were present on critical infrastructure networks in Sumy.

February 18: CISA releases guidance regarding the Russia-Ukraine conflict

In the face of ongoing Russia-Ukraine geopolitical tensions, CISA released a new CISA Insight, Preparing for and Mitigating Foreign Influence Operations Targeting Critical Infrastructure, which provides critical infrastructure owners and operators with guidance on how to identify and mitigate the risks of influence operations that use mis-, dis-, and mal-information (MDM) narratives. 

February 18: U.S. attributes February DDoS attack to Russia’s GRU

In an unprecedented development, the U.S. publicly attributed the February DDoS attacks against Ukraine’s defense ministry and significant banks to Russian GRU military intelligence officers. This attribution occurred only a few days following the attacks, which usually takes months or even years. The Biden administration’s deputy national security adviser for cyber and emerging technologies, Anne Neuberger, announced this attribution at a White House press briefing saying that the U.S. moved swiftly to “call out the behavior” in the hopes of averting an invasion of Ukraine.

February 22: FBI warns U.S. businesses of potential for ransomware attacks

In a phone call with private executives and state and local officials, senior FBI cyber official David Ring asked U.S. businesses and local governments to be mindful of the potential for ransomware attacks as the crisis between the Kremlin and Ukraine deepened.

February 23: New form of destructive malware discovered in Ukrainian networks

Researchers from ESET and Symantec report that a new form of destructive malware called HermeticWiper that can delete or corrupt data on a targeted computer or network has been seen spreading in Ukraine. Symantec also said that the wiper had been detected in Latvia, Lithuania, and Ukraine and that targets included financial organizations and government contractors.

February 23: Ukrainian banking and government websites hit by DDoS attack

A new, second round of DDoS attacks took down Ukrainian government and banking websites. Mykhailo Fedorov, Ukraine’s digital transformation minister, confirmed that a sizeable DDOS attack affected the stability of several government websites and some Ukrainian banks and websites related to Ukraine’s parliament.

February 24: President Biden warns of risks to U.S. businesses, critical infrastructure

President Biden said during remarks on Russia’s invasion of Ukraine that “If Russia pursues cyberattacks against our companies, our critical infrastructure, we are prepared to respond.” Biden added that “For months, we’ve been working closely with the private sector to harden our cyber defenses, sharpen our ability to respond to Russian cyberattacks as well.”

February 24: Russian websites, critical information infrastructure hit by cyberattacks

The Russian government’s National Computer Incident Response and Coordination Center warned of “the threat of an increase in the intensity of computer attacks on Russian information resources, including critical information infrastructure (CII).” The warning follows numerous reports of outages on official Russian government websites, including the website of the Kremlin itself.

February 24: Viasat cyberattack impacts broadband service in Ukraine, across Europe

One of the world’s largest commercial satellite companies, Viasat, was hit with a multifaceted and deliberate cyber-attack against its KA-SAT network that partially interrupted KA-SAT’s consumer-oriented satellite broadband service. The attack impacted several thousand customers in Ukraine and tens of thousands of other fixed broadband customers across Europe.

February 26: Ukrainian officials urge civilians to join the Ukraine IT Army

Ukrainian officials supported a campaign to attract civilian developers and hackers into what it called the IT Army of Ukraine. The “army” almost immediately signed up 184,000 users on its main Telegram channel.

February 28: Kyiv-based media company compromised

In its first special report on cyber activity in Ukraine, published on April 27, Microsoft said that a threat actor compromised a Kyiv-based media company.

March 1: Kyiv media companies faced destructive attacks and data exfiltration

In its first special report on cyber activity in Ukraine, published on April 27, Microsoft said that Kyiv-based media companies faced destructive attacks and data exfiltration.

March 2: Microsoft warns of continued wiper attacks

In a blog update, Microsoft warned that the group behind the HermeticWiper attacks in February was still active, implying that it had observed other attacks that were not disclosed.

March 2: Russian government posts lists of IP addresses and domains allegedly involved in DDoS attacks against Russian targets

Russia’s National Computer Incident Response & Coordination Center published a list of more than 17,500 IP addresses, and 174 internet domains it says are involved in ongoing distributed denial-of-service attacks on Russian domestic targets. The Center also issued recommendations on how to ward off DDoS attacks.

March 2: Russian group moved laterally on Ukrainian nuclear power company’s network.

In its first special report on cyber activity in Ukraine, published on April 27, Microsoft said that a Russian group moved laterally on the network of a Ukrainian nuclear power company.

March 3: Ukraine accuses hackers of spreading false information

Ukraine’s State Service of Special Communication and Information Protection said that an undisclosed number of official websites of “regional authorities and local governments” had been hijacked and used to spread “lies” about a deal to end the fighting prompted by Russia’s invasion. Ukraine says the “enemy” was responsible for the information. Russia denied using hackers to go after its foes.

March 3: Hackers compromised Russian space institute

Hackers compromised a website connected to Russia’s Space Research Institute (IKI), which designs and builds scientific instruments for space experiments. The hackers, purportedly part of a wave of vigilante hackers that took up digital arms following Russia’s invasion of Ukraine, defaced a section of IKI’s website to post vulgar, anti-Russian messages.

March 4: Fancy Bear compromised government network in Vinnytsia

In its first special report on cyber activity in Ukraine, published on April 27, Microsoft said the STRONTIUM threat group, also known as Fancy Bear or APT28, compromised a government network in Vinnytsia.

March 5: Ukraine says Russian cyberattacks are nonstop

Ukraine’s State Service of Special Communications and Information Protection (USSSCIP) said, “Russian hackers keep on attacking Ukrainian information resources nonstop.” The agency said that sites belonging to the presidency, parliament, the cabinet, the ministry of defense, and the ministry of internal affairs were among those hit by distributed denials of service (DDoS) attacks.

March 5: Anonymous claims FSB website take-down

The hacktivist collective Anonymous claims it took down the website of the Federal Security Service (FSB) of Russia. The group further claimed it took down 2,500 websites in Russia and Belarus in support of Ukraine.

March 6: Cybercom’s secret “cybermissions” revealed

Sources say that secret forces from the United States Cyber Command known as “cybermission teams” are in place across Eastern Europe to interfere with Russia’s digital attacks and communications. Although most elements of these teams are classified, it is clear that the cybermissions have tracked some familiar targets, including the activities of the G.R.U., Russia’s military intelligence operations, to neutralize them. Microsoft has helped in some of these activities.

March 7: Anonymous claims hack into Russian TV

The Anonymous group took responsibility for hacking into the Russian streaming services of state television channels, which the Russian authorities use for propaganda and fake news. The group claimed it hacked into the Russian streaming services Wink and Ivi (like Netflix) and live TV channels Russia 24, Channel One, and Moscow 24 to broadcast war footage from Ukraine.

March 7: Belarus conducts phishing attacks against Polish military, Ukrainian officials revealed

Google’s Threat Analysis Group said that Russia’s ally Belarus conducted widespread phishing attacks against members of the Polish military and Ukrainian officials. Google also warned hundreds of Ukrainian residents about government-backed hacking attempts in the past year, most of them from Russia.

March 8: Hacktivist crew uses phone bombing software to plead with Russian citizens

The hacktivist crew known as The International Legion Information Technology Battalion 300 (ILIT300) claimed to have phone bombing software created by Ukrainian hacktivists to send out pleas to Russian citizens in the hopes that they would speak out against the conflict in Ukraine. The ILIT300 dubbed their operation #OpPhoneKiss. Nataliya Vasilyeva, a Telegraph Moscow correspondent, confirmed she received one of the phone calls.

March 8: Russian government websites compromised through stats widget

The Russian Ministry of Economic Development press service said some of Russia’s federal agencies’ websites were compromised in a supply chain attack after unknown attackers hacked the stats widget used to track the number of visitors by multiple government agencies. The hackers were able to publish incorrect content on the pages of the websites.

March 9: Cybercriminals exploit Ukrainian sympathizers

Researchers at Cisco Talos say opportunistic cybercriminals are trying to exploit Ukrainian sympathizers by offering malware purporting to be offensive cyber tools to target Russian entities. Once downloaded, these files infect unwitting users rather than delivering the tools initially advertised. One threat actor offered a DDoS attack tool for use against Russians. Instead, he delivered an information stealer that infected the unwitting victim with malware designed to dump credentials and cryptocurrency-related information.

March 11: Attacks on Russian sites escalated in March

Rostelecom-Solar, the cybersecurity arm of telecom company Rostelecom, the largest digital services provider in Russia, said efforts to disrupt the operations of company websites in Russia jumped in March, with the number of distributed denials of service (DDoS) attacks already exceeding by mid-March those for the whole of February. Russian government entities and state-owned companies were targeted, with the websites of the Kremlin, flagship carrier Aeroflot and major lender Sberbank among those who experienced outages or temporary access issues.

March 11: Dnipro government agency targeted with destructive implant

In its first special report on cyber activity in Ukraine, published on April 27, Microsoft said that a Dnipro government agency was targeted with a destructive implant.

March 15: Ukraine Secret Service detains “hacker” helping Russian troops route phone calls

The Security Service of Ukraine (SSU) said it detained a “hacker” who was providing technical assistance to Russian troops in Ukraine by routing phone calls on their behalf. The hacker also sent text messages to Ukrainian security forces suggesting they surrender.

March 15: Feds warn of Russian state actors exploiting MFA, PrintNightmare flaws

The Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) released a joint Cybersecurity Advisory (CSA) to warn organizations that Russian state-sponsored cyber actors have gained network access through the exploitation of default multi-factor authentication (MFA) protocols and a critical Windows Print Spooler vulnerability called PrintNightmare to run arbitrary code with system privileges.

March 18: Developer sabotages own code to wipe computers in Russia, Belarus

RIAEvangelist, the maintainer of a popular open-source software called node-ipc, faced criticism for deliberately sabotaging their own code to wipe data on computers that used the program in Russia and Belarus. The altered versions of the software deleted all data, overwrote all files on developer’s machines, and created new text files with “peace” messages.

March 21: Feds reiterate warning of potential malicious Russian cyber activity

In a statement from the White House, President Biden reiterated that “Russia could conduct malicious cyber activity against the United States, including as a response to the unprecedented economic costs we’ve imposed on Russia alongside our allies and partners.” He also urged “private sector partners to harden your cyber defenses immediately by implementing the best practices we have developed together over the last year.” White House cyber advisor Anne Neuberger also appeared at a press briefing to urge “companies to take the steps within your control to act immediately to protect the services millions of Americans rely on and to use the resources the federal government makes available.

March 21: Russia’s top bank warns of malware-laden protestware

Sberbank, Russia’s largest bank, warned its users to stop updating software due to the threat of “protestware,” open-source projects whose authors altered their code in opposition to Moscow’s invasion of Ukraine. Although most of the protestware simply conveys antiwar messages, one project contained malicious code to wipe computers in Russia and Belarus.

March 24: U.S. intel analysts say Russia was behind Viasat cyberattack

U.S. intelligence analysts concluded that Russian military spy hackers were behind the cyberattack on Viasat’s satellite broadband service that disrupted Ukraine’s military communications at the start of the war last month. However, the U.S. government did not formally or publicly attribute that attack to Russia.

March 25: U.S., UK charge four Russian officials with critical infrastructure hacking

The U.S. Justice Department and British Foreign Office charged four Russian officials with the malicious hacking of critical infrastructure around the globe, including the U.S. energy and aviation sectors, between 2012 and 2018. One of the officials charged was an employee at a Russian military research institute accused of working with co-conspirators in 2017 to hack a foreign refinery’s systems and install malicious software. The British Foreign Office suggested that the timing of the charges was directly related to Russian President Vladimir Putin’s “unprovoked and illegal war in Ukraine.”

March 27: Top Ukrainian broadband provider knocked out in cyberattack

Top terrestrial Ukrainian internet and telephone service provider Ukrtelecom was hit by  a massive cyberattack that knocked out its services for hours. Russia denies any involvement in the attack.

March 29: Russia accuses U.S. of malicious attacks

In what some see as an omen that Russia plans to ramp up its malicious cyber activity, the Russian foreign ministry accused the United States of leading a massive “cyber aggression” campaign behind hundreds of thousands of malicious attacks a day while Russia has troops in Ukraine. The foreign ministry said it believed Ukraine’s government, which in February announced the formation of an “IT army,” was involved and had launched an “offensive cyber force.”

March 30: Viasat official says cyberattacks are ongoing

Viasat said that the multifaceted cyberattack that struck its KA-SAT network resulted in a partial interruption of KA-SAT’s consumer-oriented satellite broadband service, crippling tens of thousands of modems. One Viasat official said that the attacks are ongoing with repeated attempts by the attacker to test the new defenses the company has raised.

March 30: Nation-state threat actors are exploiting Ukraine invasion in malicious campaigns

Google’s Threat Analysis Group said that as part of its efforts to track malicious cyber activity related to Russia’s invasion of Ukraine, it had observed government-backed actors from China, Iran, North Korea, and Russia, and various unattributed groups, using Ukraine war-related themes to get targets to open malicious emails or click malicious links. In addition, financially motivated and criminal actors are also using current events to target users.

April 1: CaddyWiper used against Ukrainian government entity

ESET reports that CaddyWiper malware was deployed against a Ukrainian governmental entity on April 1.

April 5: CERT-UA says Armageddon threat group targeted organizations with espionage-related malware.

The Computer Emergency Response Team of Ukraine (CERT-UA) spotted new phishing attempts attributed to the Russian threat group tracked as Armageddon (Gamaredon) that tried to trick victims with lures related to the war to install espionage-focused malware. One attempt targeted Ukrainian organizations, and the other focused on government agencies in the European Union.

April 6: U.S. admits secretly removing malware to thwart Russians

U.S. Attorney General Merrick B. Garland said that armed with secret court orders, the United States secretly removed malware from computer networks around the world, a step to pre-empt Russian cyberattacks and send a message to President Putin of Russia. Although it was unclear what the malware was intended to do, it enabled the Russians to create “botnets” controlled by the G.R.U., the intelligence arm of the Russian military.

April 7: Meta reveals Ghostwriter hacking group campaign

Facebook parent Meta released an adversarial threat report about a hacking group known as “Ghostwriter,” which experts believe is linked to Belarus. The campaign targeted Ukrainian soldiers and civilians, including posing as journalists and independent news outlets online to push Russian talking points and seeking to hack the soldiers’ accounts. Meta said it had removed a network of about 200 accounts operated from Russia that repeatedly filed false reports about people in Ukraine and Russia to get them and their posts removed from the platform

April 12:  CERT-UA reveals Industroyer2 attack on energy facility

The Government Computer Emergency Response Team of Ukraine CERT-UA responded to an attack on an energy facility in Ukraine that used a new variant of Industroyer malware called Industroyer2, attributed to the Russian state threat group Sandworm. The attack also used several other destructive malware weapons, including CaddyWiper, ORCSHRED, SOLOSHRED, and AWFULSHRED.

April 19: Sandworm launches destructive attack on Lviv-based logistics provider

In its second report on Ukrainian cyberattacks published on June 22, Microsoft said that the Russian state-based threat group Iridium, also known as Sandworm, launched a destructive attack on a Lviv-based logistics provider.

April 29: Sandworm conducted reconnaissance against Lviv transportation sector network

In its second report on Ukrainian cyberattacks published on June 22, Microsoft said that the Russian state-based threat group Iridium, also known as Sandworm, conducted reconnaissance against a transportation sector network in Lviv.

May 10: U.S. and Western allies attribute Viasat attack to Russia

The United States and European nations officially attributed the blame for the February 24 attack on satellite provider Viasat, which crippled Ukrainian communications at the outset of Russia’s invasion, to Russia. U.S. officials attributed the attack specifically to the Russian intelligence agency GRU.

May 20: EU condemns Viasat attack

The European Union and its Member States, together with its international partners, issued a statement saying they strongly condemn the malicious cyber activity conducted by the Russian Federation against Ukraine, which targeted the satellite KA-SAT network, owned by Viasat.

May 30: Russians rerouted multiple Ukrainian ISPs’ internet traffic

Russians rerouted internet traffic in the city of Kherson in south Ukraine from KhersonTelecom, known locally as SkyNet, to a Russian provider. According to senior Ukrainian officials and technical analysis, multiple Ukrainian ISPs were forced to switch their services to Russian providers and expose their customers to the country’s surveillance and censorship network.

June 15: U.S. boosts funding to VPN companies to meet rising demand in Russia

Sources said that a U.S. government-funded nonprofit organization, the Open Technology Fund (OTF), gave three VPN companies, nthLink, Psiphon, and Lantern, at least $4.8 million in U.S. funding between 2015 and 2021, an amount that increased by over half after the Ukraine invasion to cope with the rise in demand in Russia.

June 22: Microsoft shares intelligence report on early lessons on cyber war in Ukraine

Microsoft published an intelligence report that offers insights on the early lessons regarding cyber incidents in Ukraine and new details about the sophisticated and widespread Russian foreign influence operations surrounding the war.

June 27: Russian group Killnet claims credit for attacks on Lithuanian websites

Lithuania reported that an “intense, ongoing” cyberattack hit the websites of government agencies and private firms in the country, some of which were aimed at Lithuania’s Secure Data Transfer Network, a communications network for government officials that is built to withstand war and other crises, according to the defense ministry. The Russian-speaking hacking group Killnet claimed responsibility for at least some of the hacks, saying they were in retaliation for Lithuania blocking the shipment of some goods to the Russian enclave of Kaliningrad, which is wedged between Lithuania and Poland.

July 19: Google says Turla tried to trick hacktivists into using a fake app

Google researchers reported that a Russian government hacking group called Turla, also known as Snake, Krypton, and Venomous Bear, tried to trick a loose collective of technologists and hacktivists operating under the name Ukrainian IT Army into using a malicious Android app called CyberAzov, which was a fake app to launch Distributed Denial of Service (DDoS) attacks against Russian sites.

July 20: Cybercom posts indicators of malware

In close coordination with the Security Service of Ukraine (SSU), U.S. Cybercom posted 20 indicators of malware compromise that the SSU discovered.

July 22: Ukrainian radio station hacked to relay a false message about Zelensky’s health 

A Ukraine’s State Service of Special Communications and Information Protection (SSSCIP) spokesperson said that cybercriminals attacked Ukrainian radio station TAVR Media to spread a false message that Ukrainian President Volodymyr Zelensky was in critical condition and under intensive care.

July 27: CISA and Ukraine sign memo of cooperation

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) and the Ukrainian State Service of Special Communications and Information Protection of Ukraine (SSSCIP) signed a Memorandum of Cooperation (MOC) to strengthen collaboration on shared cybersecurity priorities.

July 31: SSSCIP says cyberattacks are increasing

The State Service of Special Communications and Information Protectorate of Ukraine (SSSCIP) released its July War in Ukraine, Pulse on Cyber Defense Report showing increased cyberattacks on public authorities and financial institutions. The report states there were 203 cyberattacks carried out during July.

August 2: Ukraine announces bot farm dismantling

Ukraine’s secret service announced it had dismantled an organized group that created a vast bot farm aiming to discredit the leadership and destabilize Ukraine’s social and political situation. The propaganda potential of this bot farm was also used by Russian special services spreading fake news about the situation on the front and carrying out subversive information operations.

August 17: Russian-based hackers launch DDoS attack on nuclear power company website

Ukraine’s state nuclear power company Energoatom said that Russian-based hackers called “narodnaya kiberarmya,” or “popular cyber army,” unleashed an hours-long DDoS attack on its website but said significant problems had been avoided. Energoatom said the Russian group used “7.25 million bot users who simulated hundreds of million views of the company’s homepage for three hours.”

August 19: Estonia withstands high-intensity cyberattack

Estonia said it successfully withstood a high-intensity but short cyberattack launched by Russia-aligned hackers Killnet, who attempted to take down the websites of government offices, banks, and healthcare providers in the Baltic nation.

August 22: Ukraine and Poland sign memo on cooperation

The Ukrainian Ministry of Digital Transformation said that Ukraine and Poland signed a memorandum of understanding on cooperation in cybersecurity.