Ukraine Hit by Coordinated Cyberattacks on Government Sites and Banks
Ukraine faced a series of disruptive cyberattacks targeting government ministries, the Defense Ministry, state portals, and major banks, culminating in what officials called the largest DDoS campaign in the country’s history. On 15 February, attacks knocked or degraded access to services at PrivatBank, Oschadbank, the Ministry of Defense, government websites, and the Diia platform, with Ukrainian officials saying roughly 15 banks were affected. Authorities said the operation had been prepared in advance, originated from multiple countries, and was intended to destabilize society and trigger panic; they also said no theft of funds or personal data had been confirmed, while U.S. partners helped provide technical support and additional protections.
The February disruption followed an earlier January intrusion in which multiple Ukrainian ministry websites were hit and a defacement message in Russian, Polish, and Ukrainian falsely warned that citizens’ personal data had been leaked and destroyed. Ukrainian officials said no personal data leak was verified, while the EU and NATO publicly backed Kyiv and expanded cyber assistance, including closer cooperation and access to malware-sharing resources. The incidents fit a longer pattern of cyber operations against Ukraine, including the NotPetya attack that previously disrupted government bodies, banks, utilities, logistics firms, and airport operations and was later publicly attributed by the UK and US to Russia, an accusation Moscow has denied in more recent cases.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
10 events from the most recent confirmed update back to the earliest known activity.
US and UK attribute Ukraine DDoS attacks to Russia's GRU
On 2022-02-18, the White House and UK government publicly attributed the February DDoS attacks on Ukrainian banks and defense entities to Russia's GRU. US officials said technical evidence tied known GRU infrastructure to the activity and warned it could be part of broader preparation for disruptive or destructive operations.
Ukraine says most February attack disruptions were mitigated
By 2022-02-16, Ukrainian officials said most affected services had been restored even though the attack was still ongoing. The Defense Ministry added that attackers had also probed for vulnerabilities in website code, and US partners were providing technical support and additional protection services.
Ukraine links February DDoS campaign to Russia
On 2022-02-15, Ukrainian officials said the cyberattack had been prepared in advance, likely cost millions of dollars, and was intended to destabilize society and spread panic. They attributed responsibility to Russia, while the Kremlin denied involvement.
Major DDoS attack hits Ukrainian banks and government services
On 2022-02-15, Ukraine suffered what officials described as the largest DDoS attack in its history, targeting the Defense Ministry, government portals, the Diia service, and banks including PrivatBank and Oschadbank. Around 15 Ukrainian banks were reportedly affected, causing service disruptions but no reported theft of funds or personal data.
EU and NATO pledge cyber support after January attack
On 2022-01-14, the European Union condemned the attack on Ukrainian government websites and said it would mobilize resources to assist Kyiv. NATO also pledged continued support and announced enhanced cyber cooperation, including access to its malware information-sharing platform.
Ukraine says no data was leaked in January website attack
On 2022-01-14, Ukrainian authorities said several ministries were affected by the website incident but reported that no personal data had been leaked. At that time, Kyiv had not officially attributed the attack.
Ukrainian government websites defaced in overnight cyberattack
During the night of 2022-01-13 to 2022-01-14, multiple Ukrainian ministry websites were disrupted and displayed a threatening defacement message in Russian, Polish, and Ukrainian. The message falsely claimed Ukrainians' personal data had been leaked and destroyed.
UK publicly blames Russia for the NotPetya attack
On 2018-02-15, the UK formally attributed the 2017 NotPetya cyberattack to Russia. The same reporting noted the US joined the UK in assigning responsibility to the Russian state.
Ukraine says June 2017 cyberattack has been halted
By 2017-06-28, Ukraine's government said the cyberattack on state and corporate networks was under control and that specialists were working to restore lost data. Officials reported that key state-security-related enterprises were continuing to function normally.
NotPetya disrupts Ukrainian government and corporate networks
On 2017-06-27, a large-scale cyberattack attributed to Petya/NotPetya hit Ukrainian government bodies and major companies, disrupting banks, utilities, logistics providers, and Boryspil airport. Ukrainian authorities said strategic enterprises continued operating despite the widespread impact.
Sources
14 references tracked. Mallory keeps watching after this page renders.
White House and UK Gov attribute DDoS attacks on Ukraine to Russia's GRU
securityaffairs.co
Open sourceWhite House pins Ukraine DDoS attacks on Russian GRU hackers
bleepingcomputer.com
Open sourceНова кібератака на банки була "найбільшою в історії України" й досі триває - BBC News Україна
web.archive.org
Open sourceUkraine Defense Ministry, banks hit by cyberattack amid tensions with Russia
thehill.com
Open sourceUkraine Hacks Signal Broad Risks of Cyberwar Even as Limited Scope Confounds Experts - WSJ
web.archive.org
Open sourceUkrainian websites hacked in 'global attack'
dw.com
Open sourceUS joins UK in blaming Russia for NotPetya cyber-attack | Cybercrime | The Guardian
theguardian.com
Open sourceCyber attack on Ukrainian government and corporate networks halted
web.archive.org
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Russian-Linked Cyberattacks Hit Ukraine and Spill Into Wider European Targets
Ukrainian government, military, banking, and energy targets were repeatedly disrupted by cyber operations tied to Russia and the war around Ukraine. Reports describe attacks on a Ukrainian power station, outages affecting the websites of Ukraine’s defense ministry and major banks, and broader disruptive activity against the country’s financial sector. The UK government later said technical analysis by the National Cyber Security Centre assessed that Russia’s **GRU** was almost certainly involved in the February 2022 distributed denial-of-service attacks on Ukrainian banking targets, framing the incidents as part of continued Russian aggression. The campaign also expanded beyond Ukraine through both state-linked and pro-Russian actors. **Killnet**, a Russia-aligned hacktivist group, claimed retaliatory **DDoS** attacks on Lithuanian government and business websites after restrictions affecting transit to Kaliningrad, while other reporting said Russian-backed actors continued destructive operations against Ukraine, including **wiper malware** and attempted power-grid attacks. At the same time, pro-Ukrainian hackers mounted hack-and-leak operations against Russian institutions, underscoring how the conflict evolved into a broader regional cyber confrontation affecting governments, critical infrastructure, and financial services.
May 25, 2026
Russian Cyber Operations Hit Ukraine and Expand to Allied Governments
Ukraine has remained a primary target and proving ground for Russian-linked cyber operations, from the **Petya/NotPetya** outbreak that began via Ukrainian networks and crippled government agencies, banks, transport systems, industrial firms, and Chernobyl monitoring systems, to later destructive malware planted in dozens of Ukrainian government and private-sector networks. Microsoft said the 2022 malware was discovered alongside website defacements affecting Ukrainian entities and appeared designed for later activation, while officials warned such activity could accompany broader military escalation. Earlier attacks on Ukraine’s power grid, election systems, and software supply chain underscored how repeated intrusions against the country have had consequences far beyond its borders. The campaign has also extended well outside Ukraine through espionage and supply-chain compromises attributed by officials and researchers to Russian state actors. Microsoft reported that hackers aligned with Russia targeted organizations in **42 countries** supporting Ukraine, with nearly two-thirds of espionage victims in NATO states and successful intrusions resulting in data theft in at least a quarter of cases. Separately, suspected **S.V.R.** operators were tied to a broad intrusion set affecting at least 40 organizations, including U.S. government agencies, technology firms, and cybersecurity companies, reinforcing warnings that attacks first seen in Ukraine can evolve into wider operations against allied governments and critical sectors.
May 25, 2026
Russian Cyberattacks Disrupted Ukraine Communications via Viasat and Wiper Malware
Russian-linked cyber operations hit Ukraine at the outset of the invasion with both destructive malware and a major satellite communications disruption. Security researchers identified the **HermeticWiper** data-wiping malware on hundreds of systems in Ukraine, with additional impacts reported at a Ukrainian financial institution and government contractors in Latvia and Lithuania. The activity coincided with **DDoS** attacks against Ukrainian government entities and PrivatBank, underscoring a coordinated effort to degrade communications and critical services as military operations began. A parallel attack on Viasat’s **KA-SAT** network knocked 40,000 to 45,000 satellite modems offline, many of them permanently, after attackers compromised a VPN-connected management center in Turin and pushed wiper malware through a software update server. Viasat later said the incident unfolded in two stages, with a second wave using compromised modems to flood company systems and complicate recovery; the disruption spilled into Europe, including outages affecting **5,800 Enercon wind turbines in Germany**. U.S. and EU officials attributed the operation to Russian hackers, and the investigation helped support sanctions announced in 2022.
May 25, 2026