Full Report
The December 2024 cyber-attack on the country’s state registers, was attributed to Russian military intelligence services
Analysis Summary
# Incident Report: Major Cyber-Attack on Ukrainian State Registers
## Executive Summary
On December 19, 2024, Ukraine experienced a large-scale cyber-attack, attributed to Russia’s GRU, that temporarily suspended access to critical state registers (Unified and State Registers). Despite the attack's severity, responders succeeded in restoring all services by January 20, 2025, and confirmed that no data had been compromised or exfiltrated. The incident prompted an immediate investigation into the interconnected National Information Systems (NAIS) and a commitment to overhaul security architecture.
## Incident Details
- **Discovery Date:** December 19, 2024 (Date of attack/suspension)
- **Incident Date:** December 19, 2024
- **Affected Organization:** Ukrainian Government/State Registers (including registers for notaries, civil registry office, and legal entities)
- **Sector:** Government/Public Services
- **Geography:** Ukraine
## Timeline of Events
### Initial Access
- **Date/Time:** December 19, 2024
- **Vector:** Not explicitly detailed, but the result was a large-scale disruption targeting critical state infrastructure.
- **Details:** The attack resulted in a temporary suspension of access to key state registers.
### Lateral Movement
- *(Information not specified in the provided context.)*
### Data Exfiltration/Impact
- **What was stolen or damaged:** Access to registers was temporarily suspended. Crucially, Minister Stefanishyna confirmed that **no information from the registers was compromised or exfiltrated**.
### Detection & Response
- **How it was discovered:** The impact of the widespread service disruption signaled the attack.
- **Response actions taken:** The Security Service of Ukraine (SSU) promptly attributed the hack to the GRU and opened a criminal investigation. Phased recovery began in early January, restoring the civil registry office and the Unified State Register of Legal Entities. Full operational status was achieved by January 20, 2025.
## Attack Methodology
- **Initial Access:** *(Not specified)*
- **Persistence:** *(Information not specified in the provided context.)*
- **Privilege Escalation:** *(Information not specified in the provided context.)*
- **Defense Evasion:** *(Information not specified in the provided context.)*
- **Credential Access:** *(Information not specified in the provided context.)*
- **Discovery:** *(Information not specified in the provided context.)*
- **Lateral Movement:** *(Information not specified in the provided context.)*
- **Collection:** *(Information not specified in the provided context.)*
- **Exfiltration:** Attackers were **unsuccessful** in data exfiltration.
- **Impact:** Disruption of critical government services (temporary suspension of register access) intended to sow panic.
## Impact Assessment
- **Financial:** *(No specific financial figures provided.)*
- **Data Breach:** **No data breach** confirmed; no information from registers was compromised.
- **Operational:** Temporary halt of access to key state functions, including notary services, civil registry, and business registration.
- **Reputational:** The stated goal by the attackers was to "sow panic among citizens of Ukraine and abroad." Operational restoration mitigated long-term reputational damage regarding data security.
## Indicators of Compromise
- *(Specific network/file/behavioral IOCs were not detailed in the summary provided.)*
## Response Actions
- **Containment measures:** Temporary suspension of access to the registers.
- **Eradication steps:** *(Implied success through full restoration, but specific technical eradication steps are not detailed.)*
- **Recovery actions:** Phased restoration of services starting in early January, culminating in full operational status on January 20, 2025. The Ministry of Justice is updating registers with data entered during the downtime.
## Lessons Learned
- The attack highlighted critical security shortcomings within **Ukraine’s National Information Systems (NAIS)**, which were interconnected with the state registers.
- The attackers aimed to disrupt critical infrastructure and sow panic rather than steal data.
- The governance layer oversight (Ministry of Justice) successfully navigated the crisis restoration.
## Recommendations
- Immediately implement security improvements and structural changes based on the audit findings of NAIS.
- **Decouple state registers** from the potentially vulnerable National Information Systems (NAIS) architecture.
- Establish a comprehensive, internal **network of cybersecurity specialists** across all government agencies for enhanced local resilience and response capabilities.