{
	"id": "a48ad951-8935-49f8-9f24-a19b86720893",
	"created_at": "2026-04-06T00:10:39.304763Z",
	"updated_at": "2026-04-10T03:30:33.044138Z",
	"deleted_at": null,
	"sha1_hash": "303abb4984a40e9a9832cd4c3e3b82968a1d7b04",
	"title": "Conversation with a top Ukrainian cyber official: What we know, what we don’t, what it means",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 48580,
	"plain_text": "Conversation with a top Ukrainian cyber official: What we know,\r\nwhat we don’t, what it means\r\nBy AJ Vicens\r\nPublished: 2022-01-31 · Archived: 2026-04-05 14:23:04 UTC\r\nCybersecurity officials in Ukraine issued a warning Monday about yet another phishing attack using either\r\ncompromised or spoofed government email addresses, the second such warning since Saturday.\r\nMonday’s alert warned of attackers targeting government institutions with malware-laced bait documents hosted\r\non Discord that come to targets within emails from the National Health Service of Ukraine. The malware deploys\r\na program called OutSteel that looks for certain file extensions and steals them, and also deploys a second\r\nmalicious program called SaintBot.\r\nMonday’s bulletin comes two days after government officials there warned of compromised email accounts from\r\nthe Ukrainian judiciary being used to target mostly Ukrainian government targets with malware hidden within\r\nphony court inquiries.\r\nBoth operations come roughly two weeks after a cyberattack targeting Ukrainian government systems that wiped\r\nsome computers and defaced the websites of dozens of agencies’ sites.\r\nAll of the attacks are linked as part of “hybrid aggression, cyber aggression against Ukraine,” said Victor Zhora,\r\nthe deputy chairman of the State Service of Special Communications and Information Protection of Ukraine, but\r\nnot as a single operation.\r\n“These are steps to continuously attack Ukrainian government agencies, objects of critical infrastructure and to\r\nmake us ready for any kind of new attack,” Zhora said.\r\nThe operations play out against the backdrop of ongoing tension between the government of Russia and a host of\r\nwestern governments, as the Russian government accused the U.S. of wanting war in Ukraine, and the U.S.\r\ncontinuing to insist that a Russian military attack on Ukraine is possible at any time.\r\nAs the two nations’ diplomats traded barbs at the United Nations Monday, officials in Kyiv such as Zhora are\r\ntasked with unpacking the technical details, as well as the methods and motivations, behind ongoing cyberattacks\r\ndirected at the government Ukraine.\r\nZhora spoke with CyberScoop Monday and explained the biggest outstanding questions related to the cyberattacks\r\nagainst his country, how the attacks fit into the context of Russian aggression toward Ukraine for the last eight\r\nyears, and how other countries, including the U.S., are helping decipher what’s happening in the attacks. The\r\nanswers have been lightly edited and condensed for clarity.\r\nCyberScoop: A fair amount of data and context has been published about the latest round of cyberattacks\r\non Ukraine. What are the biggest unanswered questions? \r\nhttps://www.cyberscoop.com/ukrainian-cyber-attacks-russia-conflict-q-and-a/\r\nPage 1 of 3\n\nZhora: I would name two major questions. The first is the exact way and date of the compromising of the\r\ninfrastructure software development company, which was used as a first step of a supply chain attack on\r\ngovernment websites. That’s what we need to discover.\r\nAnd that would be a key to the second major question: Attribution. We see a lot of signs, and a lot of details,\r\nwhich can lead up to the conclusion that one of the Russian (advanced persistent threat) APT groups are\r\nresponsible for this attack, but we need exact proof, which can allow us to come out with a solid attribution.\r\nCyberScoop: There have been public accusations of Russian-government involvement, but you’re saying\r\nthat you want to be able to provide more forensic and digital evidence before formally attributing the\r\nattacks to specific groups?\r\nZhora: We should have enough evidence before we blame anyone responsible for organizing an attack. We\r\nalready invited [experts] — and hopefully, we’ll be able to come out with — a single statement involving\r\ninternational experts who will enrich our expertise.\r\nCyberScoop: There have been reports of U.S. and other nations’ cybersecurity experts aiding Ukraine.\r\nWhat does help look like? \r\nZhora: We appreciate the help from U.S. companies and officials, that is very valuable for us. We have had some\r\ntalks with different people, and we feel the support and practical support. We continue getting valuable\r\ninformation, which allows us to continue investigation.\r\nAs regards to some experts who will help in investigation, unfortunately, I cannot name them or their organization,\r\nbut I’m confident their help will be very important and valuable for us.\r\nCyberScoop: I would imagine your local experts are quite experienced with dealing with the kinds of\r\nattacks they’re seeing. \r\nZhora: Providing comprehensive attribution means not just collecting evidence but also making some conclusions\r\nfrom this evidence. It also should be combined with some intel data and this intel data is particularly rich and fully\r\nowned by our foreign partners.\r\nSo I cannot say that Ukraine can provide such deep threat intelligence or APT intelligence like the United States\r\nor United Kingdom can help with. That’s an area of cooperation to provide us solid attribution. And that would be\r\nimportant, that this attribution should convince everybody that all steps that were taken were correct.\r\nCyberScoop: There have been reports of possible Belarusian connections to some of the cyber activity that\r\nhas been witnessed. Can you elaborate on any of that?\r\nZhora: That was one of the questions, and could be one of the versions [of events]. For example the [attack]\r\ncould be developed in the Russian Federation but executed by Belarusians. Or the territory from which Ukraine\r\nwas attacked could be a territory of Belarus, and that could be done during the military exercises, which took\r\nplace exactly at the same time. But in my opinion, I don’t think that Belarusians would take the risk of being\r\nblamed for this.\r\nhttps://www.cyberscoop.com/ukrainian-cyber-attacks-russia-conflict-q-and-a/\r\nPage 2 of 3\n\nWe understand that we have Russian troops, Russian soldiers, Russian arms, at the east, that have occupied and\r\nannexed Crimea. We understand that this is [Vladimir] Putin, this is the Kremlin, this is the Russian Federation.\r\nBut with regards to Belarus, they always try to keep their neutral position. And if it happens that they were\r\nsomehow involved in this, that would significantly change the total disposition of forces and there could be some\r\ngeopolitical changes with regards to this effect. So as an idea, it can exist, but as facts, I don’t think so.\r\nCyberScoop: Ukrainian President Volodymyr Zelensky has said Western governments are inciting “panic”\r\nby insisting that the Russian government will launch a full-scale attack any day. Do you think that includes\r\nany of the discussion around the cyberattacks that are making the headlines? \r\nZhora: We consider this as a part of this hybrid aggression, parts of a big-information, psychological special\r\noperation against Ukraine. Of course, we see the big geopolitical tension and some speculation about a potential\r\nland operation. In my opinion Kyiv is rather calm and people are thinking about their day-to-day problems and\r\nabout dealing with COVID-19, and so the same things people are dealing with around the world. So that’s a much\r\nmore important problem.\r\nBut of course, I understand that I cannot see the whole picture as the foreign leaders can see. So my picture is\r\nabout cybersecurity, and I will say that it’s not scary, but alarming. We witnessed the recent cyberattack which\r\nshows us some serious weaknesses, which we need to quickly resolve. And the latest phishing campaigns confirm\r\nthe adversary’s abilities and their will to to continue aggression.\r\nThis means that critical infrastructure should be our main point of interest. We need to be aware of risks that can\r\nhappen to critical infrastructure, especially regarding this winter time and potential energy prices, which is\r\nbasically coming for the whole world.\r\nCyberScoop: Cisco’s Talos threat intelligence unit recently warned companies with connections to Ukraine\r\nto treat the cyberattacks seriously, but also to avoid “panic” and that cybersecurity experts have seen these\r\nkinds of attacks in Ukraine “on and off for years.” Is the activity we’re seeing in recent weeks evidence of\r\nmore attacks than usual, or is the quantity of attacks relatively stable?\r\nZhora: The growth is constant. So each month, we register up to 10% growth of attempts. So it’s normal way of\r\nthings, and that’s the situation that we need to to understand and to try to live with.\r\nJust the same way as we live with constant shooting on the eastern border. It’s absolutely quiet here in Kyiv and\r\n99% of Ukrainian territory, but unfortunately, almost every day or week, we have victims from Ukrainian troops\r\non the east. That’s a situation which has lasted for eight years, and nobody knows how many years it will last\r\nmore.\r\nSource: https://www.cyberscoop.com/ukrainian-cyber-attacks-russia-conflict-q-and-a/\r\nhttps://www.cyberscoop.com/ukrainian-cyber-attacks-russia-conflict-q-and-a/\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.cyberscoop.com/ukrainian-cyber-attacks-russia-conflict-q-and-a/"
	],
	"report_names": [
		"ukrainian-cyber-attacks-russia-conflict-q-and-a"
	],
	"threat_actors": [
		{
			"id": "d90307b6-14a9-4d0b-9156-89e453d6eb13",
			"created_at": "2022-10-25T16:07:23.773944Z",
			"updated_at": "2026-04-10T02:00:04.746188Z",
			"deleted_at": null,
			"main_name": "Lead",
			"aliases": [
				"Casper",
				"TG-3279"
			],
			"source_name": "ETDA:Lead",
			"tools": [
				"Agentemis",
				"BleDoor",
				"Cobalt Strike",
				"CobaltStrike",
				"RbDoor",
				"RibDoor",
				"Winnti",
				"cobeacon"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "75108fc1-7f6a-450e-b024-10284f3f62bb",
			"created_at": "2024-11-01T02:00:52.756877Z",
			"updated_at": "2026-04-10T02:00:05.273746Z",
			"deleted_at": null,
			"main_name": "Play",
			"aliases": null,
			"source_name": "MITRE:Play",
			"tools": [
				"Nltest",
				"AdFind",
				"PsExec",
				"Wevtutil",
				"Cobalt Strike",
				"Playcrypt",
				"Mimikatz"
			],
			"source_id": "MITRE",
			"reports": null
		}
	],
	"ts_created_at": 1775434239,
	"ts_updated_at": 1775791833,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/303abb4984a40e9a9832cd4c3e3b82968a1d7b04.pdf",
		"text": "https://archive.orkl.eu/303abb4984a40e9a9832cd4c3e3b82968a1d7b04.txt",
		"img": "https://archive.orkl.eu/303abb4984a40e9a9832cd4c3e3b82968a1d7b04.jpg"
	}
}