Main Cyber Highlights of April

Main Cyber Highlights of April

Foto — pixabay.com




Since the beginning of the full-scale russian invasion of Ukraine, 430 cyberattacks have been recorded. For comparison – last year there were 207. Government sites, the ecosystem of products «Action», the energy sector and the financial sector are under the greatest attention of hackers [1].

More than half of all attacks have been carried out to gather information or spread malicious code. The most popular methods of cyber attacks by russian military hackers are:

  • sending of the malicious software aimed at data theft or destruction of infrastructure;
  • phishing emails that allow them to obtain credentials to access information systems;
  • using of known vulnerabilities.

russian hackers have begun to carry out more and more cyberattacks against ordinary Ukrainians. russia’s traditional approach to «information warfare» is a combination of cyber activities with information and psychological operations [2].

Microsoft’s report on russian cyberattacks against Ukraine [3] states that russia has been increasing cyber attacks on Ukraine since March 2021 for intelligence purposes and intensified them on the eve of the invasion. At least 8 destructive malware families have been deployed. In addition, russian hacker attacks often coincide in time with the fighting of individual units against specific institutions or facilities.

However, it should be noted that for all their activity, russian cybercriminals have never caused significant harm to Ukrainians. russia’s cyber-offensive operations in Ukraine have probably reached their maximum potential. They have already demonstrated all the available tools and technologies. Due to sanctions, russian hackers will not be able to develop as they did before [4].

Also, more than 80 databases that are critical for the russian Federation have been broken so far, such as databases of citizens, businesses, and rather sensitive data [5].

A significant strengthening of the Ukrainian side in the cyber war is the involvement of many foreign hacker movements that coordinate their attacks on russia with Ukraine. They do not advertise activities and avoid undue attention, but interact with each other [6].

The five groups that have carried out the most cyber attacks on Ukraine’s critical information infrastructure include hackers, whose activities are linked to the aggressor country or accomplice in the war against our state – belarus. [7]

Given the growing sanctions pressure on russia’s IT and telecoms, putin has issued a decree establishing an interagency commission responsible for russia’s «technological sovereignty» of russia’s information space, preparing the country for the Iron Curtain in the digital environment. [8]



Deface / information replacement:

• Damage to the website of Kirovohrad Region Department of Labor and agitation for «friendship» with russia and the so-called «special operation» [9].

• Distribution of a fake video with the BBC News logo on «responsibility» of Ukraine for the missile attack on Kramatorsk railway station on April 8 [10].

• Hacking of the site of Donetsk railways in the «DPR» by the cyber troops of Ukraine (against the background of photos with the destruction and victims of aggression by russian invaders, messages for militants) [11].

• Hacking of Zaporizhzhya youth student site «Thresholds» and posting russian propaganda [12].

• Creating a fake analogue of the SSU chatbot [13].

• The number of the military brigade hotline was broken [14].

Dos / DDos:

• Cherkasy Internet provider McLaut [15].

• Rivne Vecherne website (158 since the beginning of the full-scale war) [16].

• Media Detector publication [17].

• LIGA.NET website [18].

• Website of Lviv Regional Military Administration [19].

• DOU publication site [20].

• Online sales services and Ukrzaliznytsia support line [21].

• Ukrposhta online store [22].

Phishing / Malware:

• Cyber ​​attacks on state organizations of Ukraine using exploits for XSS vulnerabilities in the Zimbra Collaboration Suite and the malicious program IcedID [23, 24].

• Large-scale cyber attack of the Sandworm group on the energy sector of Ukraine using malicious programs Industroyer2 (warned) [25].

• Imitation of the resource of the TV channel «Ukraine 24»: «receiving financial assistance from EU countries» [26]

• SMS-messages: «payments of material assistance to internally displaced persons» [27]

• Cyber ​​attack on state organizations of Ukraine using the theme of «Azovstal» and the malicious program Cobalt Strike Beacon [28].

• UAC-0056 cyberattack using GraphSteel and GrimPlant malware and COVID-19 [29].

• Cyber ​​attack of the UAC-0098 group on the state authorities of Ukraine using the Metasploit framework (sending e-mails on the topic «Presidential Decree No. 576/22 on unprecedented security measures») [30].


• Spreading fakes about the alleged hacking of a moving line during a Ukrainian telethon and spreading reports about the «assassination of the president» and demands to «lay down arms» [31]

• Threats from russian hackers NoName to Volyn media and Zaporizhzhya site 061.ua [32, 33].



IT ARMY of Ukraine:

Between April 11 and May 1, about 450 russian online resources were attacked [34], [35], [36]:

• National product labeling system

• Truck toll collection system weighing 12 tons

• Online accounting services

• Online TV platforms

• Veterinary inspection system

• Online ticket purchase services

• Fixed data operators

• Electronic reporting systems (including 1C)

• Tender sites

• Severstal

• Online food ordering services


As of April 21, more than 6 TB and 6 million of russian documents and emails had been released by Anonymous following their declaration of cyber warfare against the Kremlin’s criminal regime [37]. The goals of Anonymous hackers and related groups over the past three weeks:

• russian oil and gas company Technotec (440 GB leak) [38].

• 14Gazprom Linde Engineering (728 GB leak) [39].

• PSKB, St. Petersburg Social Commercial Bank (542 GB leak) [40]

• Gazregion, a construction company whose client is Gazprom (222GB leak) [41]

• Neocom Geoservice, a geological company that operates Gazprom (107 GB leak) [42]

• Synesis Surveillance, a surveillance system linked to the belarusian government (1.2 GB leak) [43]

• GUOV and the Central Bank related to the russian Ministry of Defense (9.5 GB leak) [44]

• Tendertech, a financial firm whose clients include Russian banks (160 GB leak) [45]

• Sawatzky, a real estate management company (leaked 432 GB) [46]

• Worldwide Invest, an investment company related to the russian railway (130 GB leak) [47]

• Metrospetstechnika, supplier of «every metro in russia» (access to the system) [48]

• Accent Capital, a russian real estate investment company (leaked 211 GB) [49]

• Enerpred, the largest manufacturer of hydraulic equipment in russia (432 GB leak) [50]

• russian Space Agency, Luna Resource Mission [51]

• russian customs broker ALET for companies in the fuel and energy industry (leak 1.1 TB) [52].

• russia’s large power company «Elektrocentromontazh» (leak 1.7 TB) [53].


• The website of the russian Ministry of Emergencies reported a hacking after the publication of recommendations «in the event of a nuclear retaliatory strike by NATO» [54].

• Data from the russian propagandist Solovyov were obtained from unknown cyber activists [55].

• The website of Pskov Diocese was hacked, photos of crimes from Bucha were posted [56]



In a private industry notification (PIN) FBI warned local governments and government services that ransomware would likely «strain» their capabilities if not prevented. The FBI does not encourage paying ransoms. Payment does not guarantee files will be recovered. It may also embolden adversaries to target additional organizations, encourage other criminal actors to engage in the distribution of ransomware, and/or fund illicit activities [57].

According to the report of the Guidepoint Security, ransomware trends in 2022, like previous years, continues the trend of ransomware being one of the most impactful and prolific threats that public and private sectors face daily. The trends indicate that western countries are affected more frequently than others. It is also very clear that countries with suspected ties to ransomware groups, including former Soviet Union countries, China, and North Korea, have far fewer victims than other countries.Some critical infrastructure verticals such as Finance, Information Technology, and Healthcare continue finding themselves in the top 10 industry verticals affected by ransomware. Looking at the 2021 and 2022 data, 2022 start off at a faster rate than last year [58].

The U.S. Federal Bureau of Investigation has wrested control of thousands of routers and firewall appliances away from Russian military hackers by hijacking the same infrastructure Moscow’s spies were using to communicate with the devices. The targeted botnet was controlled through malware called Cyclops Blink, which U.S. and UK cyberdefense agencies had publicly attributed in late February to «Sandworm», allegedly one of the Russian military intelligence service’s hacking teams that has repeatedly been accused of carrying out cyberattacks [59].

Microsoft observed attacks targeting Ukrainian entities from Strontium, a russian GRU-connected actor they have tracked for years.  Strontium was using this infrastructure to target Ukrainian institutions including media organizations. It was also targeting government institutions and think tanks in the United States and the European Union involved in foreign policy. Strontium was attempting to establish long-term access to the systems of its targets, provide tactical support for the physical invasion and exfiltrate sensitive information [60].

U.S. Department of Justice (DOJ) and German federal police have successfully shut down the Russian dark web marketplace Hydra, which has contributed to nearly 80% of all dark web market-related cryptocurrency transactions last year. Along with shutting down Hydra’s servers, the DOJ also issued criminal charges against russian resident Dmitry Pavlov for conspiracy to distribute narcotics and conspiracy to commit money laundering in connection with his operation and administration of the servers used to run Hydra. Pavlov is allegedly the administrator of Hydra’s servers. Over 34 mln US Dollars in Bitcoins were seized. There were over 17 mln accounts of users and 19,000 accounts of sellers at the forum. German authorities claim that the shop had the biggest cash-flow. Only during 2020 it gained over 1,23 bln US Dollars.The marketplace operated since 2015, it has received approximately $5.2 billion in cryptocurrency, the DOJ said [61].

New dump shops were appeared on the Darknet: The Bankir Shop offers over 130.000 compromised payment cards. The YESBRO Shop offers over 150.000 compromised payment cards. The shop is a successor of the Wizzard Dump shop. Both shops are available via WEB or TOR versions. 


Global cyber cooperative center (GC) continues working with companies, law enforcement and research organizations to neutralize cyber crime.