Public administration
Public administration and defence; compulsory social security
875
cyberattacks and operations
In the Russian-Ukraine war, why do cyberattacks on the Public administration sector matter?
Cyberattacks on the public administration sector threaten e-government activities, the protection of sensitive government and personal data, as well as the functioning of services. Public administration in Ukraine, Russia and in other countries has been the target of cyberattacks linked to the conflict. Due to the sector’s direct connection with government entities the sector has been a specific target of disruptive attacks in Ukraine in the lead up to the invasion and in the ongoing conflict. On the other hand, government institutions in Russia have also been subject to various types of attacks. The conflict has also seen disruptive attacks impacting public administration and the government websites of countries who have demonstrated support to Ukraine through the application of sanctions and/or the supply of military aid.
What types of attacks have been documented against the sector?
Which countries have seen attacks on the sector in the context of the war?
What impact do these attacks have on people?
Attacks on the public administration including national and local government institutions have an impact on the civilian population both through the impact on access to key public services such as health, social services, migration, education, and for timely and reliable information. Cyberattacks during the conflict have played a role in trying to undermine trust and confidence in state institutions and trying to control the information space, through the spread of disinformation and propaganda, based on geopolitical objectives.
What are the primary digital impacts observed on the sector by country?
Can history shed light on the impact of attacks on this sector?
21 April 2022 – government websites, Estonia
DDoS cyberattacks temporarily disrupted and blocked access to thirteen Estonian government websites. Targeted websites included the president's (president.ee), Ministry of Foreign Affairs (vm.ee), Police and Border Guard Board (politsei.ee), digital state services portal (eesti.ee) and ID card information page (id.ee).
Societal harm/impact
- The attacks started around 4 pm on Thursday and lasted for several hours disrupting and blocking access to key websites. The campaign of attacks ended on the following Monday.
- A total of 13 websites were targeted, though in many cases regular users of the sites would have been unaware at the time of the onslaught, thanks to counter-measures. In a few cases, reconfiguration meant that sites were temporarily down, though these were only isolated and relatively short-lived outages.
- Over two billion malicious queries were issued to the state sites and those of state agencies and state-owned firms, with up to 11,000 malicious queries per regular, non-hostile query, at the peak of the attack.
Which threat actors have been linked to attacks on the sector during the conflict?
Name | Type | Origin | Number of attacks |
|---|---|---|---|
| NoName057(16) | Collective | 455 | |
| People's CyberArmy | Collective | 79 | |
| KillNet | Collective | 28 | |
| Anonymous Russia | Collective | 28 | |
| Phoenix | Collective | 19 | |
| Netside Group | Collective | Unknown | 16 |
| Bloodnet | Collective | Unknown | 16 |
| Zulik Group | Unknown | Unknown | 15 |
| Anonymous | Collective | Unknown | 12 |
| Russian Hackers Team | Collective | Unknown | 11 |
| National Hackers of Russia (HXP) | Collective | Unknown | 11 |
| IT Army of Ukraine | Nation State | 10 | |
| TA499 | Unknown | unknown | 7 |
| Net Worker Alliance | Collective | Unknown | 7 |
| XakNet | Collective | 6 | |
| Anonymous Sudan | Collective | unknown | 6 |
| DEV-0586 | Nation State | 4 | |
| Russian Hackers Community | Collective | Unknown | 4 |
| UNC1151 | Nation State | 4 | |
| APT28 | Nation State | 4 | |
| Sandworm | Nation State | 3 | |
| Gamaredon | Nation State | 3 | |
| ChaosSec | Collective | Unknown | 3 |
| BlueNet Russia | Unknown | Unknown | 3 |
| Kvazar DDoS | Collective | Unknown | 3 |
| Nation State - Russian Federation | Nation State | 2 | |
| NB65 | Collective | Unknown | 2 |
| v0g3lSec | Collective | Unknown | 2 |
| TA416 | Nation State | 2 | |
| Legion Cyber Spetsnaz | Collective | 2 | |
| APT37 | Nation State | NK | 2 |
| Zarya | Collective | 2 | |
| KillNet Collective | Collective | Russian Federation | 2 |
| Mirai | Collective | 2 | |
| Russian Clay | Collective | Unknown | 2 |
| Cyber Cat | Collective | Unknown | 2 |
| APT29 | Nation State | 2 | |
| Solntsepek | Collective | Unknown | 2 |
| Web Invaders | Unknown | Unknown | 2 |
| SpyeEye Botnet | Unknown | Unknown | 2 |
| KillMilk | Individual | 2 | |
| Anonymous Italia | Collective | Unknown | 2 |
| UAC-0050 | Unknown | Unknown | 2 |
| GURMO | Nation State | 2 | |
| AgainstTheWest | Collective | Unknown | 1 |
| GhostSec | Collective | 1 | |
| Vermin | Collective | 1 | |
| InvisiMole | Nation State | 1 | |
| UAC-0094 | Unknown | Unknown | 1 |
| The Black Rabbit World | Collective | Unknown | 1 |
| UAC-0098 | Unknown | 1 | |
| Anonymous-DepaixPorteur | Collective | Unknown | 1 |
| Anonymous-Spid3r | Collective | Unknown | 1 |
| UAC-0099 | Unknown | Unknown | 1 |
| RaHDIt | Collective | 1 | |
| Haydamaki | Collective | 1 | |
| StudentCyberArmy | Collective | 1 | |
| Red Stinger | Unknown | Unknown | 1 |
| UAC-0132 | Unknown | Unknown | 1 |
| Cyber Partisans | Collective | 1 | |
| UNC4166 | Unknown | Unknown | 1 |
| Bear IT Army | Collective | 1 | |
| UAC-0063 | Unknown | Unknown | 1 |
| UAC-0165 | Unknown | Unknown | 1 |
| RomCom | Unknown | Unknown | 1 |
| Structura National Technologies | Nation State | Unknown | 1 |
| UserSec | Collective | Unknown | 1 |
| Sudo RM -RF | Unknown | Unknown | 1 |
| Cyber Resistance | Collective | Unknown | 1 |
| NLB | Unknown | Unknown | 1 |
| Blackjack | Unknown | Unknown | 1 |
| APT10 | Nation State | 0 | |
| Infinity Hackers BY | Collective | Belarus | 0 |
| Social Digital Agency | Nation State | Unknown | 0 |
Explore the data
Event Name | Event Country | Event Date | Event Type | Impact Category | Impact Description | Threat Actor Name |
|---|---|---|---|---|---|---|
| DDoS attack against the website of a Ukrainian government ministry | 2023-12-31 | DDoS | Disruption | Disrupted connectivity to the website. | Anonymous Russia | |
| Campaign: DDoS attacks against the websites of a Czech ministry and a government chamber | 2023-12-31 | DDoS | Disruption | Disrupted connectivity to websites. Website unavailable to foreign IP addresses. | NoName057(16) | |
| Campaign: DDoS attacks against the websites of a British town council and a city council | 2023-12-31 | DDoS | Disruption | Disrupted connectivity to website. | NoName057(16) | |
| Campaign: DDoS attack against the subdomain of a Dutch government service | 2023-12-30 | DDoS | Disruption | Disrupted connectivity to website. | NoName057(16) | |
| Campaign: DDoS attack against the website of a Finnish commerce chamber | 2023-12-29 | DDoS | Disruption | Disrupted connectivity to website. Website unavailable to foreign IP addresses. | NoName057(16) | |
| Campaign: DDoS attacks against the websites of a British town council, a city council and a judicial platform | 2023-12-28 | DDoS | Disruption | Disrupted connectivity to websites. | NoName057(16) | |
| Campaign: DDoS attacks against the websites of a Czech ministry, a government office and a government chamber | 2023-12-27 | DDoS | Disruption | Disrupted connectivity to websites. | NoName057(16) | |
| Campaign: DDoS attack against the subdomain of a Dutch government service | 2023-12-25 | DDoS | Disruption | Disrupted connectivity to website. | NoName057(16) | |
| Campaign: DDoS attack against the official website of a Swedish government agency | 2023-12-24 | DDoS | Disruption | Disrupted connectivity to website. | NoName057(16) | |
| Campaign: DDoS attacks against the websites of a British councils | 2023-12-23 | DDoS | Disruption | Disrupted connectivity to websites. | NoName057(16) |
