Russian Cyberattacks Disrupted Ukraine Communications via Viasat and Wiper Malware
Russian-linked cyber operations hit Ukraine at the outset of the invasion with both destructive malware and a major satellite communications disruption. Security researchers identified the HermeticWiper data-wiping malware on hundreds of systems in Ukraine, with additional impacts reported at a Ukrainian financial institution and government contractors in Latvia and Lithuania. The activity coincided with DDoS attacks against Ukrainian government entities and PrivatBank, underscoring a coordinated effort to degrade communications and critical services as military operations began.
A parallel attack on Viasat’s KA-SAT network knocked 40,000 to 45,000 satellite modems offline, many of them permanently, after attackers compromised a VPN-connected management center in Turin and pushed wiper malware through a software update server. Viasat later said the incident unfolded in two stages, with a second wave using compromised modems to flood company systems and complicate recovery; the disruption spilled into Europe, including outages affecting 5,800 Enercon wind turbines in Germany. U.S. and EU officials attributed the operation to Russian hackers, and the investigation helped support sanctions announced in 2022.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
11 events from the most recent confirmed update back to the earliest known activity.
Viasat and NSA reveal two-stage attack details at Black Hat
At Black Hat, Viasat and NSA officials disclosed that the 2022 KA-SAT incident consisted of two separate attacks and described the initial VPN compromise, destructive modem update, and follow-on flooding activity. They also said Viasat rebuilt major parts of its infrastructure to improve resilience after the incident.
Sanctions announced following Viasat attribution work
Broader sanctions against Russia announced in May 2022 were informed in part by the investigation and attribution of the Viasat attack, according to later NSA remarks.
U.S., EU and allies attribute Viasat attack to Russian actors
Following months of investigation and coordination, U.S. and European officials publicly attributed the KA-SAT cyberattack to Russian hackers. The attribution was tied to the wartime disruption of Ukrainian and European communications.
Researchers publicly identify HermeticWiper campaign
Cybersecurity firms including ESET and Symantec publicly reported the HermeticWiper malware campaign, describing its use against Ukrainian organizations and warning of possible spillover risks reminiscent of earlier destructive attacks.
Enercon wind turbines in Germany lose remote connectivity
The KA-SAT disruption had downstream effects beyond Ukraine, including loss of remote communications for about 5,800 Enercon wind turbines in Germany that relied on the satellite service.
Second Viasat attack wave floods systems and hinders recovery
After the modem-disabling phase, compromised modems were used in a second disruptive wave to flood Viasat systems, complicating restoration efforts. The broader outage also affected customers across Europe.
Wiper pushed through Viasat update server disrupts KA-SAT modems
At the outset of Russia's invasion of Ukraine, attackers used Viasat's software update mechanism to deploy destructive commands to KA-SAT modems. The operation disrupted roughly 40,000 to 45,000 modems, many permanently, and interfered with Ukrainian communications.
Attackers compromise Viasat KA-SAT management network
According to later disclosures, the Viasat incident began with an intrusion through a VPN-connected management center in Turin, Italy, giving attackers access needed to affect the KA-SAT satellite network.
HermeticWiper deployed against Ukrainian targets
A new data-wiping malware later named HermeticWiper was used against hundreds of machines in Ukraine around the start of Russia's invasion. Researchers also observed impacts on a Ukrainian financial institution and on Ukrainian government contractors in Latvia and Lithuania.
DDoS attacks hit Ukrainian government sites and PrivatBank
Before the wiper activity was publicly identified, Ukrainian government entities and PrivatBank were targeted with distributed denial-of-service attacks as tensions escalated around Russia's offensive.
Microsoft reports defacement and wiper attacks on Ukrainian entities
Researchers disclosed a campaign targeting Ukrainian organizations with website defacements and destructive malware in January 2022, describing it as an escalation in cyber activity against Ukraine ahead of the later February attacks. The reporting highlighted the use of wipers against Ukrainian systems before HermeticWiper was publicly identified.
Sources
8 references tracked. Mallory keeps watching after this page renders.
NSA, Viasat say 2022 hack was two incidents; Russian sanctions resulted from investigation | The Record from Recorded Future News
therecord.media
Open sourceOn National Security | Drawing lessons from the first 'commercial space war' - SpaceNews
spacenews.com
Open sourceSatellite modems nexus of worst cyberattack of Ukraine war | AP News
apnews.com
Open sourceReport: NSA Investigates Viasat Hack That Coincided With Ukraine Invasion | PCMag
pcmag.com
Open sourceRussia unleashed data-wiper malware on Ukraine, say cyber experts | Ukraine | The Guardian
theguardian.com
Open sourceNew wiper, worm attacks emerge in Ukraine targeting government and industry | Cybersecurity Dive
cybersecuritydive.com
Open sourceRussia unleashed data-wiper malware on Ukraine, say cyber experts | Ukraine | The Guardian
web.archive.org
Open sourceUkraine Campaign Delivers Defacement and Wipers, in Continued Escalation
blog.talosintelligence.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Russian-Linked Cyberattacks Hit Ukraine and Spill Into Wider European Targets
Ukrainian government, military, banking, and energy targets were repeatedly disrupted by cyber operations tied to Russia and the war around Ukraine. Reports describe attacks on a Ukrainian power station, outages affecting the websites of Ukraine’s defense ministry and major banks, and broader disruptive activity against the country’s financial sector. The UK government later said technical analysis by the National Cyber Security Centre assessed that Russia’s **GRU** was almost certainly involved in the February 2022 distributed denial-of-service attacks on Ukrainian banking targets, framing the incidents as part of continued Russian aggression. The campaign also expanded beyond Ukraine through both state-linked and pro-Russian actors. **Killnet**, a Russia-aligned hacktivist group, claimed retaliatory **DDoS** attacks on Lithuanian government and business websites after restrictions affecting transit to Kaliningrad, while other reporting said Russian-backed actors continued destructive operations against Ukraine, including **wiper malware** and attempted power-grid attacks. At the same time, pro-Ukrainian hackers mounted hack-and-leak operations against Russian institutions, underscoring how the conflict evolved into a broader regional cyber confrontation affecting governments, critical infrastructure, and financial services.
May 25, 2026
Russian Cyber Operations Hit Ukraine and Expand to Allied Governments
Ukraine has remained a primary target and proving ground for Russian-linked cyber operations, from the **Petya/NotPetya** outbreak that began via Ukrainian networks and crippled government agencies, banks, transport systems, industrial firms, and Chernobyl monitoring systems, to later destructive malware planted in dozens of Ukrainian government and private-sector networks. Microsoft said the 2022 malware was discovered alongside website defacements affecting Ukrainian entities and appeared designed for later activation, while officials warned such activity could accompany broader military escalation. Earlier attacks on Ukraine’s power grid, election systems, and software supply chain underscored how repeated intrusions against the country have had consequences far beyond its borders. The campaign has also extended well outside Ukraine through espionage and supply-chain compromises attributed by officials and researchers to Russian state actors. Microsoft reported that hackers aligned with Russia targeted organizations in **42 countries** supporting Ukraine, with nearly two-thirds of espionage victims in NATO states and successful intrusions resulting in data theft in at least a quarter of cases. Separately, suspected **S.V.R.** operators were tied to a broad intrusion set affecting at least 40 organizations, including U.S. government agencies, technology firms, and cybersecurity companies, reinforcing warnings that attacks first seen in Ukraine can evolve into wider operations against allied governments and critical sectors.
May 25, 2026
Ukraine Hit by Coordinated Cyberattacks on Government Sites and Banks
Ukraine faced a series of disruptive cyberattacks targeting government ministries, the Defense Ministry, state portals, and major banks, culminating in what officials called the largest **DDoS** campaign in the country’s history. On 15 February, attacks knocked or degraded access to services at PrivatBank, Oschadbank, the Ministry of Defense, government websites, and the **Diia** platform, with Ukrainian officials saying roughly 15 banks were affected. Authorities said the operation had been prepared in advance, originated from multiple countries, and was intended to destabilize society and trigger panic; they also said no theft of funds or personal data had been confirmed, while U.S. partners helped provide technical support and additional protections. The February disruption followed an earlier January intrusion in which multiple Ukrainian ministry websites were hit and a defacement message in Russian, Polish, and Ukrainian falsely warned that citizens’ personal data had been leaked and destroyed. Ukrainian officials said no personal data leak was verified, while the **EU** and **NATO** publicly backed Kyiv and expanded cyber assistance, including closer cooperation and access to malware-sharing resources. The incidents fit a longer pattern of cyber operations against Ukraine, including the **NotPetya** attack that previously disrupted government bodies, banks, utilities, logistics firms, and airport operations and was later publicly attributed by the UK and US to Russia, an accusation Moscow has denied in more recent cases.
May 26, 2026