Ukraine’s state registers hit with one of Russia’s largest cyberattacks, officials say

Suspected Russian hackers have launched one of the largest cyberattacks on Ukraine’s state services in recent months, according to a statement from Ukrainian officials late Thursday.

The attack targeted Ukrainian state registers, which store various types of official records, including citizens' biometric data, business records, property ownership, real estate transactions, legal and court decisions, voter information, tax records and permits.

Access to the registers was temporarily suspended for security reasons following the attack, said the Ministry of Justice, which manages around 60 state databases. The ministry attributed the disruption to a failure in the network infrastructure supporting the databases.

The country’s cyber agencies are currently investigating the attack. Ukrainian Deputy Prime Minister for European and Euro-Atlantic Integration, Olga Stefanishyna, stated that it would take about two weeks to restore access to the most critical registers, including those storing citizens' personal data and information about legal entities and property rights.

"It is now clear that the attack was carried out by the Russians with the aim of disrupting the operation of the country's critical infrastructure,” Stefanishyna said. “The enemy is attempting to use this situation in its information operations to sow panic among Ukrainian citizens and abroad."

Ukraine’s state security service (SBU) suspects that Russian hackers linked to the country’s military intelligence service (GRU) are behind the attack. Among the threat actors with suspected ties to the GRU is Sandworm, a group responsible for major cyberattacks targeting Ukraine, including the 2023 hack of Ukraine’s largest telecom operator, Kyivstar.

Volodymyr Karastelov, the acting head of the SBU's cybersecurity department, said during a press conference on Friday that the hackers likely spent several months preparing the attack on the state registers.

Claims by XakNet

On Thursday, the pro-Russian group XakNet claimed responsibility for the attack on their channel on the Telegram messaging app. The hackers said they managed to infiltrate the Ministry of Justice's infrastructure through a contractor that runs the registers, the state enterprise National Information Systems (NAIS).

XakNet stated it had stolen a large volume of data from the registers and deleted both the primary databases and backup copies stored on servers in Poland. Stefanishyna confirmed that Ukraine indeed stores data from the registers in different locations. Given the scale of the hack, the servers in other countries could be affected, she said but refused to elaborate further.

XakNet calls itself a hacktivist collective. In May 2022, the group claimed responsibility for an attack on Ukraine’s media group, Ukraine 24, replacing programming on its TV channels with a fake message claiming that Ukraine’s President Volodymyr Zelensky had surrendered to the Russians.

Russia is known for using so-called hacktivists to disguise the operations of its state hackers and complicate attribution. For example, the attack on Kyivstar was initially claimed by Russian self-proclaimed hacktivist groups Killnet and Solntsepek but was later attributed by Ukraine to Russia’s military intelligence.

Nationwide disruptions

The disruption of state registers could lead to delays in personal and business-related processes and expose vulnerabilities that attackers might exploit for further malicious activities. The attack could also paralyze the work of notaries, as well as buyers and sellers of the property who rely on state registers for their operations, several Ukrainian cyber experts told Recorded Future News.

Karastelov said that he cannot confirm nor deny whether the data was leaked from the state registers due to the attack, as the investigation is still ongoing. He confirmed, however, that all the data from the registers is safe and will be restored, as the operator has backups. The restoration process is set to begin on Monday, according to Stefanishyna.

During a press conference on Friday, she stated that while access to the registers is suspended, the maintenance of citizens' vital records — such as birth certificates, marriage licenses, separation agreements, divorce certificates and death certificates — will temporarily be handled on paper.

Stefanishyna claimed that the attack did not affect other Ukrainian state systems. However, some Ukrainian tech services that rely on data from the registers took preventive measures to protect their systems, and temporarily suspended or restricted their operations.

For example, the operation of Ukraine’s military app, Reserve+, which serves as an electronic military registration document, was disrupted on Thursday, according to Ukraine’s Ministry of Defense.

Ukraine’s e-government app, Diia, used by over 21 million citizens, temporarily shut down dozens of services, including business and property registration, child benefits payments, marriage applications, and disability assistance for children.

The country’s digital ministry explained in a statement that these services use data from state registers, making them unavailable while the databases are being restored.

Ukraine is considering prosecuting the attack on the state registers as a war crime, according to Karastelov. Previously, the SBU stated that it was building a case to prosecute Russian hackers behind the attack on Kyivstar at the International Criminal Court in The Hague.

Ukraine’s State Service for Special Communications and Information Protection (SSSCIP) declined to comment on the attack.

"The Russian hackers' attack on the information systems of Ukraine's Ministry of Justice has once again clearly shown us that cyberspace is just as much a battlefield as any other domain," the agency’s head, Oleksandr Potii, said in a statement on Facebook. He did not provide any details about the incident.