Cyberattacks and misinformation activity against Ukraine continues say security researchers

Malware and fake news continues, says Mandiant.
Written by Charlie Osborne, Contributing Writer

The cyber offensive against Ukraine continues with malware attacks and the spread of misinformation, according to security researchers.

So far, Russian, pro-Russian, and Belarusian cyberattackers have employed the most comprehensive array of methods to achieve "tactical and strategic objectives, directly linked to the conflict itself," according to research by security company Mandiant. 

However, the impact may be felt more broadly as hackers working for other countries, including China and Iran, are attempting to push their agendas forward. 

"While these operations have presented an outsized threat to Ukraine, they have also threatened the US and other Western countries," the Mandiant researchers say. "As a result, we anticipate that such operations, including those involving cyber threat activity and potentially other disruptive and destructive attacks, will continue as the conflict progresses."

Even before Russia's invasion of Ukraine started, in January, the country and its government's websites were subject to defacement and tampering, with Russian hackers accused of being behind the attack.

Russia invaded on February 24. A day prior, Ukraine's State Service of Special Communications and Information Protection said the websites of the Ministry of Foreign Affairs, Ministry of Defense, Security Service, and various banks, among others, experienced outages due to a distributed denial-of-service (DDoS) attack. 

The cyber offensives have continued since then. 

"Concerted information operations have proliferated, ranging from cyber-enabled information operations, including those that coincided with disruptive and destructive cyber threat activity, to campaigns leveraging coordinated and inauthentic networks of accounts to promote fabricated content and desired narratives across various social media platforms, websites, and forums," the Mandiant researchers say. 

When it comes to Russia, the researchers say that most current activity is "disruptive and destructive" and includes the deployment of wiper malware. 

ESET has documented strains, including CaddyWiper, used in targeted, limited campaigns. Some wiper variants have been detected on networks belonging to Ukrainian organizations. 

Another version of wiper malware, dubbed Junkmail, was executed on a network belonging to a Ukrainian organization a few hours before Zelenskyy delivered a speech to US Congress. 

But malware is not the only activity of concern. In March, hackers known as Secondary Infektion launched and spread a fake message claiming that Ukraine had surrendered through the Ukraine 24 website going so far as to generate a fake artificial intelligence (AI) model of Ukrainian President Zelenskyy delivering the message. 

While this group continues to promote fake stories, Ghostwriter has also been active as of late. In February, the Computer Emergency Response Team for Ukraine (CERT-UA) warned that the group, also tracked as UNC1151, was responsible for an array of misinformation campaigns, phishing attempts, and assaults against Ukrainian targets. The group is apparently aligned with Belarus state interests.

A new campaign tied to Ghostwriter, discovered by Mandiant, is pushing false narratives about refugees, while other groups push a misinformation campaign aimed at an "aggressive defense of Russian strategic interests," according to the researchers. These activities appear to overlap with Ghostwriter, suggesting there may be a collaboration between the teams. Furthermore, fake narratives are being spread to try and damage relations between Ukraine and Poland. These stories include content that portrays refugees as a burden.

APT28, also known as Fancy Bear, continues to post content on Telegram channels related to the conflict, focusing on "weakening Ukrainians' confidence in their government and its response to the invasion."

Previous and related coverage

Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0

Editorial standards