In 2024, cyber-specialists working as part of the Main Directorate of Intelligence of the Ministry of Defence of Ukraine (HUR) and the Security Service of Ukraine (SBU) initiated several cyberattacks on Russian technology and infrastructure, including attacks on Russia's banking sector, Russian internet providers, regional and municipal administration web resources, Russian airports, several Russian state institutions, and private companies. The operations were conducted as means to impede Russian military operations and uncover classified documents that could be taken into account by the Armed Forces of Ukraine during the Russian invasion of Ukraine, as well as to destabilize Russia's institutions. Cyberattacks began to intensify in scope in June and July 2024. [1] [2]
Russian–Ukrainian cyberwarfare is a component of the confrontation between Russia and Ukraine since the Revolution of Dignity in 2013-2014. Russian cyberweapon Uroburos had been around since 2005. [3] However, the first attacks on information systems of private enterprises and state institutions of Ukraine were recorded during mass protests in 2013. In 2013, Operation Armageddon, a Russian campaign of systematic cyber espionage on the information systems of government agencies, law enforcement, and defense agencies, began, thought to help Russia on the battlefield. [4] Between 2013 and 2014, some information systems of Ukrainian government agencies were affected by a computer virus known as Snake / Uroborus / Turla. [4] In February–March 2014, as Russian troops entered Crimea communication centers were raided and Ukraine's fibre optic cables were tampered with, cutting connection between the peninsula and mainland Ukraine. Additionally Ukrainian Government websites, news and social media were shut down or targeted in DDoS attacks, while cell phones of many Ukrainian parliamentarians were hacked or jammed. [4] [5] Ukrainian experts also stated the beginning of a cyberwar with Russia. [6]
Cybersecurity companies began to register an increase in the number of cyberattacks on information systems in Ukraine. The victims of Russian cyberattacks were government agencies of Ukraine, the EU, the United States, defense agencies, international and regional defense and political organizations, think tanks, the media, and dissidents. [4] As of 2015, researchers had identified two groups of Russian hackers who have been active in the Russian-Ukrainian cyber war: the so-called APT29 (also known as Cozy Bear, Cozy Duke) and APT28 (also known as Sofacy Group, Tsar Team, Pawn Storm, Fancy Bear). [4]In mid-January, the Ukrainian HUR reported that volunteer BO Team hackers employed by the ministry deleted 280 servers and 2 petabytes of data from Planet, a state space hydrometeorology research center in the Far East that aided the Russian military and fifty other state agencies with gathering and analyzing satellite imaging and data. According to HUR, the cyberattack cost Russia approximately US$10 million in damages, which included a destroyed supercomputer and its software, together costing US$350,000 with Western sanctions greatly complicating its replacement. The attack also impacted warehouses and the center building of the research center, including its humidification, air conditioning, servers, and emergency power supply. Further attacks on a Russian Arctic station on Bolshevik Island "completely cut off" its connection with Russian networks. [7]
On February 4, HUR's official Telegram channel reported that they accessed an electronic document management system called "bureaucrats", and exposed detailed information about high-ranking Russian military personnel and specialists. The ministry also said that they found a wide array of classified documents, specifically mentioning documents belonging to Russian Deputy Defense Minister Timur Ivanov. The hack resulted in the HUR recovering sensitive information that included Russian army orders, reports, and instructions that were circulating among over 2,000 military units within Russia's defense ministry that could be analyzed by the Armed Forces of Ukraine. The hackers sarcastically thanked Russian Defense Minister Sergei Shoigu's inadvertent role in facilitating the cyberattack's success. [8]
HUR hackers were also able to target Russian military software used to modify commercial DJI drones for military applications, shutting down servers responsible for Russia's "friend or foe" identification system, preventing troops from accessing the server for drone operations. The cyberattack also prevented troops from configuring control panels, transmitting video feeds to command posts, and operating drones using computer interfaces, forcibly grounding several drone fleets and halting operations. [9]
In April, the HUR cooperated with the BO Team hacker group to target Interregional TransitTelecom (MTT), a subsidiary of MTS, one of Russia's largest telecom companies, after gaining comprehensive access to MTT's network equipment. The HUR reported that the attack destroyed critical software and configuration files, leading to severe internet disruptions throughout Russia that affected major cities such as Moscow and St. Petersburg, requiring workers to physically access and re-connect equipment to fix the outages. [10]
Attacks on communication company Moskollector by the SBU shut down 87,000 alarm sensors used for sewage monitoring and control throughout the Moscow metropolitan area, destroying "70 servers and at least 90 terabytes of company data, emails, backup copies and contracts" in the process. [11]
In early June, HUR cyber operatives conducted a widespread attack on various Russian government websites, including those of key ministries such as the ministries of Justice, Defense, Information Technology and Communications, Finance, Internal Affairs, Industry and Energy, and Emergency Situations. [12] The disruptions extended to civilian services, with local reports indicating several wedding cancellations due to system outages. Attacks on the United Aircraft Company (UAC), Russia's primary advanced aircraft manufacturer, impacted its operations and caused its website to be rendered inaccessible for an extended period. HUR reported that its primary method of cyberattack was by using distributed denial-of-service (DDoS) attacks. [13] [14]
On June 12, coinciding with Russia Day, Ukrainian hackers targeted the online systems of multiple Russian airports, causing flight disruptions. [12] Targeted airports included Yuzhno-Sakhalinsk's airport, Moscow Domodedovo Airport, and Saratov's Gagarin Airport, delaying flights mainly destined for Sochi, Bodrum, and Moscow. The attack also forced airplanes to divert to Samara and Ulyanovsk. Prior to the attack, cyber-specialists accessed the official website server of the Stavropol Region's State Duma, adding a banner containing the phrase "Hold on, we will liberate you!" and depicted Red Square bearing Ukrainian flags, shortly before targeting the airports. [15]
Shortly after on June 14, the HUR cooperated with the BO Team hacker group to attack Russian municipal web resources, primarily targeting the Ulyanovsk regional administration's digital infrastructure. The attack resulted in considerable damage to the administration's IT systems, where two hypervisors and communication devices were reportedly disabled, while ten virtual machines and one personal computer were destroyed. Additionally, the operation led to the erasure of approximately 20 terabytes of data. Prior to the main assault, the hackers engaged in a phishing campaign that targeted other local government bodies, courts, and members of the public. [16]
As part of the operation, the attackers published a fabricated order on the Ulyanovsk administration's website. This false directive, attributed to Mayor A.E. Boldakin, called for public demonstrations. The infiltration also provided the BO Team access to sensitive documents, including reports on military recruitment practices. These documents reportedly referred to Ulyanovsk residents reported for "bypassing of candidates for military service" as "targeted individuals". [16]
On June 26, Russian-occupied Crimea's largest internet providers were targeted by intense cyberattacks. [12]
In July 2024, Ukrainian intelligence services reportedly launched a major cyberattack against several Russian technology-based sectors. The attacks started on July 15, when HUR cyber-specialists worked with a community of hackers to target roughly one hundred Russian web resources to erase their internal data, picked based on their involvement with Russian agencies involved with Russia's invasion of Ukraine. [2] Affected webpages were shut down and replaced with a picture of a bloody, decapitated pig head colored with Russia's flag next to an axe bearing the flag of Ukraine, with the phrase "404 Russia not found" listed. [17]
A larger operation was initiated on July 23 by the Main Intelligence Directorate of Ukraine's Ministry of Defense, which targeted financial institutions it stated were involved in funding military activities against Ukraine. By July 27, the attack's impact became severe and widespread. Customers of several major Russian banks were unable to withdraw cash from ATMs, with credit and debit cards being blocked upon use. The cyberattack affected various aspects of Russia's virtual banking infrastructure, which included freezing of payment systems and mobile banking applications, banking portal outages, and breaches into the databases of several major banks which included Dom.RF, Alfa-Bank, Raiffeisen Bank, VTB Bank, Rosbank, Gazprombank, RSHB Bank, Sberbank, iBank, and Tinkoff Bank. The attacks also targeted public transportation systems, popular Russian social networks and internet platforms, and caused service interruptions for multiple large Russian telecom and internet providers including MegaFon, Tele2, Beeline, and Rostelecom. [1] [2] [18]
A source from the Ukrainian intelligence stated that the attack was "gaining momentum" and implied escalations in attacks. [1] [2]
Russia acknowledged the cyberattacks as being initiated by "politically motivated hackers". [2]
Information warfare (IW) is the battlespace use and management of information and communication technology (ICT) in pursuit of a competitive advantage over an opponent. It is different from cyberwarfare that attacks computers, software, and command control systems. Information warfare is the manipulation of information trusted by a target without the target's awareness so that the target will make decisions against their interest but in the interest of the one conducting information warfare. As a result, it is not clear when information warfare begins, ends, and how strong or destructive it is.
During the Russo-Georgian War, a series of cyberattacks swamped and disabled websites of numerous South Ossetian, Georgian, Russian and Azerbaijani organisations. The attacks were initiated three weeks before the shooting war began.
Cyberwarfare by Russia includes denial of service attacks, hacker attacks, dissemination of disinformation and propaganda, participation of state-sponsored teams in political blogs, internet surveillance using SORM technology, persecution of cyber-dissidents and other active measures. According to investigative journalist Andrei Soldatov, some of these activities were coordinated by the Russian signals intelligence, which was part of the FSB and formerly a part of the 16th KGB department. An analysis by the Defense Intelligence Agency in 2017 outlines Russia's view of "Information Countermeasures" or IPb as "strategically decisive and critically important to control its domestic populace and influence adversary states", dividing 'Information Countermeasures' into two categories of "Informational-Technical" and "Informational-Psychological" groups. The former encompasses network operations relating to defense, attack, and exploitation and the latter to "attempts to change people's behavior or beliefs in favor of Russian governmental objectives."
Cyberwarfare is the use of computer technology to disrupt the activities of a state or organization, especially the deliberate attacking of information systems for strategic or military purposes. As a major developed economy, the United States is highly dependent on the Internet and therefore greatly exposed to cyber attacks. At the same time, the United States has substantial capabilities in both defense and power projection thanks to comparatively advanced technology and a large military budget. Cyber warfare presents a growing threat to physical systems and infrastructures that are linked to the internet. Malicious hacking from domestic or foreign enemies remains a constant threat to the United States. In response to these growing threats, the United States has developed significant cyber capabilities.
Cyberwarfare by China is the aggregate of all combative activities, including cyberattacks, attributed to the organs of the People's Republic of China and various related advanced persistent threat (APT) groups from the country.
Cyberwarfare is a part of the Iranian government's "soft war" military strategy. Being both a victim and wager of cyberwarfare, Iran is considered an emerging military power in the field. Since November 2010, an organization called "The Cyber Defense Command" has been operating in Iran under the supervision of the country's "Passive Civil Defense Organization" which is itself a subdivision of the Joint Staff of Iranian Armed Forces.
A series of powerful cyberattacks using the Petya malware began on 27 June 2017 that swamped websites of Ukrainian organizations, including banks, ministries, newspapers and electricity firms. Similar infections were reported in France, Germany, Italy, Poland, Russia, United Kingdom, the United States and Australia. ESET estimated on 28 June 2017 that 80% of all infections were in Ukraine, with Germany second hardest hit with about 9%. On 28 June 2017, the Ukrainian government stated that the attack was halted. On 30 June 2017, the Associated Press reported experts agreed that Petya was masquerading as ransomware, while it was actually designed to cause maximum damage, with Ukraine being the main target.
Cyberwarfare is a component of the confrontation between Russia and Ukraine since the Revolution of Dignity in 2013-2014. While the first attacks on information systems of private enterprises and state institutions of Ukraine were recorded during mass protests in 2013, Russian cyberweapon Uroburos had been around since 2005. Russian cyberwarfare continued with the 2015 Ukraine power grid hack at Christmas 2015 and again in 2016, paralysis of the State Treasury of Ukraine in December 2016, a Mass hacker supply-chain attack in June 2017 and attacks on Ukrainian government websites in January 2022.
Ghostwriter, also known as UNC1151 and Storm-0257 by Microsoft, is a hacker group allegedly originating from Belarus. According to the cybersecurity firm Mandiant, the group has spread disinformation critical of NATO since at least 2016.
During the prelude to the Russian invasion of Ukraine and the Russian invasion of Ukraine, multiple cyberattacks against Ukraine were recorded, as well as some attacks on Russia. The first major cyberattack took place on 14 January 2022, and took down more than a dozen of Ukraine's government websites. According to Ukrainian officials, around 70 government websites, including the Ministry of Foreign Affairs, the Cabinet of Ministers, and the National and Defense Council (NSDC), were attacked. Most of the sites were restored within hours of the attack. On 15 February, another cyberattack took down multiple government and bank services.
Morozovsk is an air base of the Russian Aerospace Forces as part of the 4th Air and Air Defence Forces Army, Southern Military District.
The IT Army of Ukraine is a volunteer cyberwarfare organisation created at the end of February 2022 to fight against digital intrusion of Ukrainian information and cyberspace after the beginning of the Russian invasion of Ukraine on February 24, 2022. The group also conducts offensive cyberwarfare operations, and Chief of Head of State Special Communications Service of Ukraine Victor Zhora said its enlisted hackers would only attack military targets.
There have been attacks in mainland Russia as a result of the Russian invasion of Ukraine, which began on 24 February 2022. The main targets have been the military, the arms industry and the oil industry. Many of the attacks have been drone strikes, firebombing, and rail sabotage. The Ukrainian intelligence services have acknowledged carrying out some of these attacks. Others have been carried out by anti-war activists in Russia. There have also been cross-border shelling, missile strikes, and covert raids from Ukraine, mainly in Belgorod, Kursk, and Bryansk oblasts. Several times, Ukrainian-based paramilitaries launched incursions into Russia, captured border villages and battled the Russian military. These were carried out by units made up mainly of Russian emigrants. While Ukraine supported these ground incursions, it denied direct involvement.
NoName057(16) is a pro-Russian hacker group that first declared itself in March 2022 and claimed responsibility for cyber-attacks on Ukrainian, American and European government agencies, media, and private companies. It is regarded as an unorganized and free pro-Russian activist group seeking to attract attention in Western countries.
Beginning in July 2022, a series of explosions and fires occurred on the Russian-occupied Crimean Peninsula, from where the Russian Army had launched its offensive on Southern Ukraine during the Russian invasion of Ukraine. Occupied since 2014, Crimea was a base for the subsequent Russian occupation of Kherson Oblast and Russian occupation of Zaporizhzhia Oblast.
During the Russian invasion of Ukraine, aerial warfare took place as early as the dawn of 24 February 2022, with Russian infantry and armored divisions entering into Eastern Ukraine with air support. Dozens of missile attacks were reported across Ukraine. The main infantry and tank attacks were launched in four spearhead incursions, creating a northern front launched towards Kyiv, a southern front originating in Crimea, a south-eastern front launched at the cities of Luhansk and Donbas, and an eastern front. Dozens of missile strikes across Ukraine also reached as far west as Lviv. Drones have also been a critical part of the invasion, particularly in regards to combined arms warfare. Drones have additionally been employed by Russia in striking Ukrainian critical infrastructure, and have been used by Ukraine to strike military infrastructure in Russian territory.
This timeline of the Russian invasion of Ukraine covers the period from 1 December 2023 to 31 March 2024.
This timeline of the Russian invasion of Ukraine covers the period from 1 April 2024 to 31 July 2024.
This timeline of the Russian invasion of Ukraine covers the period from 1 August 2024 to the present day.