/Ukraine-Cyber-Operations

Curated Intelligence is working with analysts from around the world to provide useful information to organisations in Ukraine looking for additional free threat intelligence. Slava Ukraini. Glory to Ukraine.

Primary LanguageYARA

logo

Ukraine-Cyber-Operations

Curated Intelligence is working with analysts from around the world to provide useful information to organisations in Ukraine looking for additional free threat intelligence. Slava Ukraini. Glory to Ukraine. (Blog | Twitter | LinkedIn)

timeline

cyberwar

Analyst Comments:

  • 2022-02-25
  • 2022-02-26
  • 2022-02-27
  • 2022-02-28
  • 2022-03-01
    • Additional threat reports and resources have been added
  • 2022-03-02
    • Additional IOCs have been added
    • Added vetted YARA rule collection from the Threat Reports by ETAC
    • Added loosely-vetted IOC Threat Hunt Feeds by KPMG-Egyde CTI (h/t 0xDISREL)
      • IOCs shared by these feeds are LOW-TO-MEDIUM CONFIDENCE we strongly recommend NOT adding them to a blocklist
      • These could potentially be used for THREAT HUNTING and could be added to a WATCHLIST
      • IOCs are generated in MISP COMPATIBLE CSV format
  • 2022-03-03
    • Additional threat reports and vendor support resources have been added
    • Updated Log4Shell IOC Threat Hunt Feeds by KPMG-Egyde CTI; not directly related to Ukraine, but still a widespread vulnerability.
    • Added diagram of Russia-Ukraine Cyberwar Participants 2022 by ETAC
    • Additional IOCs have been added
  • 2022-03-04
    • Additional Threat Hunt Feed for recently registered Ukrainian domain names (h/t DomainTools)
    • Additional Threat Hunt Feed for threat groups targeting Ukraine (h/t RecordedFuture)
  • 2022-03-05
    • Additional threat reports have been added
  • 2022-03-06
  • 2022-03-07
    • Additional Threat Reports have been added
    • Additional IOCs have been added
  • 2022-03-08
    • Additional Threat Reports have been added
    • Additional IOCs have been added
  • 2022-03-09
    • Additional Threat Reports have been added
    • Additional YARA rules have been added
  • 2022-03-14
    • An updated Timeline of attacks has been added
    • Additional Threat Reports have been added
    • Additional IOCs have been added
    • Additional YARA rules have been added
  • 2022-03-15
    • Additional Threat Reports have been added
    • Additional IOCs have been added
  • 2022-03-18
    • Additional Threat Reports have been added
    • Additional IOCs have been added to the master CSV file
    • A new CSV for CERT-UA IOCs specifically has been created - see here
  • 2022-03-19
    • Additional Threat Reports have been added
    • Additional IOCs have been added
  • 2022-03-20
  • 2022-03-21
    • An Additional Threat Report has been added
    • Additional YARA rules have been added
  • 2022-03-23
    • Additional Threat Reports have been added
    • Additional IOCs have been added
  • 2022-03-25
    • Additional Threat Reports have been added
    • Additional IOCs have been added
  • 2022-03-28
    • Additional Threat Reports have been added
    • Additional IOCs have been added
  • 2022-03-30
    • Additional Threat Reports have been added
    • Additional YARA rules have been added
  • 2022-04-01
    • Additional Threat Reports have been added
    • Additional Vendor Support have been added
  • 2022-04-04
    • Additional Threat Reports have been added
    • Additional YARA rules have been added

Threat Reports

Date Source Threat(s) URL
14 JAN SSU Ukraine Website Defacements ssu.gov.ua
15 JAN Microsoft WhisperGate wiper (DEV-0586) microsoft.com
19 JAN Elastic WhisperGate wiper (Operation BleedingBear) elastic.github.io
31 JAN Symantec Gamaredon/Shuckworm/PrimitiveBear (FSB) symantec-enterprise-blogs.security.com
2 FEB RaidForums Access broker "GodLevel" offering Ukrainain algricultural exchange RaidForums [not linked]
2 FEB CERT-UA UAC-0056 using SaintBot and OutSteel malware cert.gov.ua
3 FEB PAN Unit42 Gamaredon/Shuckworm/PrimitiveBear (FSB) unit42.paloaltonetworks.com
4 FEB Microsoft Gamaredon/Shuckworm/PrimitiveBear (FSB) microsoft.com
8 FEB NSFOCUS Lorec53 (aka UAC-0056, EmberBear, BleedingBear) nsfocusglobal.com
15 FEB CERT-UA DDoS attacks against the name server of government websites as well as Oschadbank (State Savings Bank) & Privatbank (largest commercial bank). False SMS and e-mails to create panic cert.gov.ua
23 FEB The Daily Beast Ukrainian troops receive threatening SMS messages thedailybeast.com
23 FEB UK NCSC Sandworm/VoodooBear (GRU) ncsc.gov.uk
23 FEB SentinelLabs HermeticWiper sentinelone.com
24 FEB ESET HermeticWiper welivesecurity.com
24 FEB Symantec HermeticWiper, PartyTicket ransomware, CVE-2021-1636, unknown webshell symantec-enterprise-blogs.security.com
24 FEB Cisco Talos HermeticWiper blog.talosintelligence.com
24 FEB Zscaler HermeticWiper zscaler.com
24 FEB Cluster25 HermeticWiper cluster25.io
24 FEB CronUp Data broker "FreeCivilian" offering multiple .gov.ua twitter.com/1ZRR4H
24 FEB RaidForums Data broker "Featherine" offering diia.gov.ua RaidForums [not linked]
24 FEB DomainTools Unknown scammers twitter.com/SecuritySnacks
25 FEB @500mk500 Gamaredon/Shuckworm/PrimitiveBear (FSB) twitter.com/500mk500
25 FEB @500mk500 Gamaredon/Shuckworm/PrimitiveBear (FSB) twitter.com/500mk500
25 FEB Microsoft HermeticWiper gist.github.com
25 FEB 360 NetLab DDoS (Mirai, Gafgyt, IRCbot, Ripprbot, Moobot) blog.netlab.360.com
25 FEB Conti [themselves] Conti ransomware, BazarLoader Conti News .onion [not linked]
25 FEB CoomingProject [themselves] Data Hostage Group CoomingProject Telegram [not linked]
25 FEB CERT-UA UNC1151/Ghostwriter (Belarus MoD) CERT-UA Facebook
25 FEB Sekoia UNC1151/Ghostwriter (Belarus MoD) twitter.com/sekoia_io
25 FEB @jaimeblascob UNC1151/Ghostwriter (Belarus MoD) twitter.com/jaimeblasco
25 FEB RISKIQ UNC1151/Ghostwriter (Belarus MoD) community.riskiq.com
25 FEB MalwareHunterTeam Unknown phishing twitter.com/malwrhunterteam
25 FEB ESET Unknown scammers twitter.com/ESETresearch
25 FEB BitDefender Unknown scammers blog.bitdefender.com
25 FEB SSSCIP Ukraine Unkown phishing twitter.com/dsszzi
25 FEB RaidForums Data broker "NetSec" offering FSB (likely SMTP accounts) RaidForums [not linked]
25 FEB Zscaler PartyTicket decoy ransomware zscaler.com
25 FEB INCERT GIE Cyclops Blink, HermeticWiper linkedin.com [Login Required]
25 FEB Proofpoint UNC1151/Ghostwriter (Belarus MoD) twitter.com/threatinsight
25 FEB @fr0gger_ HermeticWiper capabilities Overview twitter.com/fr0gger_
25 FEB Netskope HermeticWiper analysis netskope.com
26 FEB BBC Journalist A fake Telegram account claiming to be President Zelensky is posting dubious messages twitter.com/shayan86
26 FEB CERT-UA UNC1151/Ghostwriter (Belarus MoD) CERT_UA Facebook
26 FEB MHT and TRMLabs Unknown scammers, linked to ransomware twitter.com/joes_mcgill
26 FEB US CISA WhisperGate wiper, HermeticWiper cisa.gov
26 FEB Bloomberg Destructive malware (possibly HermeticWiper) deployed at Ukrainian Ministry of Internal Affairs & data stolen from Ukrainian telecommunications networks bloomberg.com
26 FEB Vice Prime Minister of Ukraine IT ARMY of Ukraine created to crowdsource offensive operations against Russian infrastructure twitter.com/FedorovMykhailo
26 FEB Yoroi HermeticWiper yoroi.company
27 FEB LockBit [themselves] LockBit ransomware LockBit .onion [not linked]
27 FEB ALPHV [themselves] ALPHV ransomware vHUMINT [closed source]
27 FEB Mēris Botnet [themselves] DDoS attacks vHUMINT [closed source]
28 FEB Horizon News [themselves] Leak of China's Censorship Order about Ukraine techarp.com
28 FEB Microsoft FoxBlade (aka HermeticWiper) blogs.microsoft.com
28 FEB @heymingwei Potential BGP hijacks attempts against Ukrainian Internet Names Center twitter.com/heymingwei
28 FEB @cyberknow20 Stormous ransomware targets Ukraine Ministry of Foreign Affairs twitter.com/cyberknow20
1 MAR ESET IsaacWiper and HermeticWizard welivesecurity.com
1 MAR Proofpoint Ukrainian armed service member's email compromised and sent malspam containing the SunSeed malware (likely TA445/UNC1151/Ghostwriter) proofpoint.com
1 MAR Elastic HermeticWiper elastic.github.io
1 MAR CrowdStrike PartyTicket (aka HermeticRansom), DriveSlayer (aka HermeticWiper) CrowdStrike
2 MAR Zscaler DanaBot operators launch DDoS attacks against the Ukrainian Ministry of Defense zscaler.com
2 MAR Infoblox Ukrainian Support Fraud blogs.infoblox.com
2 MAR Trellix Digging into HermeticWiper trellix.com
2 MAR Port Swigger Ukraine invasion: WordPress-hosted university websites hacked in ‘targeted attacks’ portswigger.net
3 MAR @ShadowChasing1 Gamaredon/Shuckworm/PrimitiveBear (FSB) twitter.com/ShadowChasing1
3 MAR @vxunderground News website in Poland was reportedly compromised and the threat actor uploaded anti-Ukrainian propaganda twitter.com/vxunderground
3 MAR @kylaintheburgh Russian botnet on Twitter is pushing "#istandwithputin" and "#istandwithrussia" propaganda (in English) twitter.com/kylaintheburgh
3 MAR @tracerspiff UNC1151/Ghostwriter (Belarus MoD) twitter.com
3 MAR Trustwave Gorenie Fundraising Email Scams trustwave.com
3 MAR Trend Micro Prominent Cyber Attacks in Russia-Ukraine Conflict trendmicro.com
3 MAR U.S. DoT Press Releases: Treasury Sanctions Russians Bankrolling Putin and Russia-Backed Influence Actors treasury.gov
3 MAR Microsoft MSTIC DEV-0586 (aka WhisperGate), DEV-0665 (aka FoxBlade/HermeticWizard/HermeticWiper), SonicVote (aka HermeticRansom & PartyTicket), Lasainraw (aka IsaacWiper) twitter.com/MalwareRE
4 MAR Interfax CERT-UA warns about mass mailings of malicious software interfax.com.ua
4 MAR eln0ty HermeticWiper/FoxBlade Analysis (in-depth) eln0ty.github.io
4 MAR Mandiant Sandworm, UNC2589 (aka Lorec53/UAC-0056/EmberBear), UNC3715 (aka DEV-0665/HermeticWiper), and potentially TEMP.Isotope (aka BerserkBear/EnergeticBear/Dragonfly) mandiant.com
5 MAR SSSCIP Ukraine Russian DDos attacks (100 Gbps at their peak) primarily aimed at the resources of Verkhovna Rada, Cabinet of Ministers, President of Ukraine, Defense Ministry and Internal Affairs Ministry twitter.com/dsszzi
6 MAR @shakirov2036 Notice Russian Government Websites To move to domestic hosting thread twitter.com/shakirov2036
7 MAR ReverseMode SATCOM terminals under attack in Europe: plausible analysis reversemode.com
7 MAR Google TAG FancyBear (aka APT28) targeted users of UkrNet (a Ukrainian media company), Ghostwriter (aka UNC1151), Mustang Panda (aka Temp.Hex), DDoS attacks blog.google
7 MAR CERT-UA UAC-0051 (aka UNC1151), MicroBackdoor, CVE-2019-0541 cert.gov.ua
8 MAR Cluster25 UNC1151/Ghostwriter (Belarus MoD) cluster25.io
8 MAR Trend Micro RURansom - a data wiper targeting Russian organizations trendmicro.com
9 MAR ReversingLabs HermeticWiper and IsaacWiper blog.reversinglabs.com
11 MAR CERT-UA UAC-0056 (aka Lorec53, EmberBear) push fake antivirus updates containing Cobalt Strike Beacons, GrimImplant, and GraphSteel malspam against state authorities of Ukraine cert.gov.ua
11 MAR Infosec Magazine pro-Ukrainian actors should be wary of downloading DDoS tools to attack Russia, as they may be booby-trapped with info-stealing malware infosecurity-magazine.com
11 MAR @cyberknow20 "Xahnet" shared a video they allegedly left a message and defaced the main page of Ukraine's capital bank [unvalidated] twitter.com/cyberknow20
13 MAR Spiegel German Anonymous hacktivists target Rosneft Germany, allegedly stole 20TB of data, deleted 59 Apple devices remotely, and left "Slava Ukraini" on wiped systems spiegel.de
13 MAR BeeHive Twitter user "BeeHive" allegedly exploited a vulnerability in the open-source ADS-B radar reporting feeds and digital transponders to manipulate Russian airlines, causing Aeroflot planes to erroneously squawk "7700" (for emergencies) and display anti-Russian callsigns on flight radars twitter.com/BeeHiveCyberSec
14 MAR Cisco Talos Opportunistic cybercriminals take advantage of Ukraine invasion blog.talosintelligence.com
14 MAR ESET Another wiper was discovered targeting Ukraine, dubbed CaddyWiper, which was delivered via GPO, indicating the adversary had prior control of the target's network beforehand. CaddyWiper is seeminginly not connected to other the wipers targeting Ukraine, including Whispergate, HermeticWiper, or IsaacWiper twitter.com/ESETresearch
15 MAR VICE The Security Service of Ukraine (SBU) detained a “hacker” who provided assistance to Russian troops in Ukraine by routing phone calls on their behalf, and sent text messages to Ukrainian security forces suggesting they surrender vice.com
15 MAR SentinelOne Threat Actor UAC-0056 Targeting Ukraine with Fake Translation Software sentinelone.com/blog
16 MAR CERT-UA QR code phishing posing as UKR.NET linked to UAC-0028 group (APT28/FancyBear/GRU) cert.gov.ua
17 MAR CERT-UA UAC-0020 (Vermin) cyberattack on Ukrainian state organizations using the SPECTR malware, whose activities are associated with the so-called security agencies of the so-called "Luhansk People's Republic" cert.gov.ua
18 MAR CERT-UA UAC-0035 (InvisiMole) cyberattack on State Organizations of Ukraine cert.gov.ua
22 MAR CERT-UA UAC-0088 deploys DoubleZero wiper cert.gov.ua
22 MAR CERT-UA UAC-0026 cyberattack using HeaderTip malware, linked to Scarab APT cert.gov.ua
23 MAR Interfax UA Datagroup, a provider of fiber-optic infrastructure and digital services, resolved more than 350 DDoS attacks on the country's telecommunications network during the month of the war. The largest attack was 103.6 Gbps, 28.0 Mpps; the most powerful attack was 27.6 Gbps, 43.0 Mpps; the longest attack was 24 days. interfax.com.ua
23 MAR BalkanInsight Croatian police are probing the hacking of the ‘Slobodna Dalmacija’ website, where hackers replaced content with pro-Russian articles on Ukraine. “Western Deception Machine”, “Which Side Are You On?”, and “The United States of America Admitted They Have Hidden Laboratories in Ukraine”, are just some of the fake articles that the hackers posted online. balkaninsight.com
23 MAR CERT-UA UAC-0051 group (UNC1151/GhostWriter), Cobalt Strike Beacons cert.gov.ua
24 MAR SentinelOne Ukraine CERT (CERT-UA) has released new details on UAC-0026, which SentinelLabs confirms is associated with the suspected Chinese threat actor known as Scarab. Scarab has conducted a number of campaigns over the years, making use of a custom backdoor originally known as Scieron, which may be the predecessor to HeaderTip. sentinelone.com
24 MAR Lab52 Quasar RAT spear-phishing campaign lab52.io
25 MAR SSSCIP Ukraine Who is behind the Cyberattacks on Ukraine's Critical Information Infrastructure: Statistics for March 15-22 cip.gov.ua
25 MAR SSSCIP Ukraine Statistics of Cyber Attacks on Ukrainian Critical Information Infrastructure: 15-22 March cip.gov.ua
26 MAR @n0p Analysis of a Caddy Wiper Sample n0p.me
28 MAR CERT-UA Cyberattack on Ukrainian state authorities using pseudoSteel malware linked to UAC-0010 (Armageddon/Gamaredon) cert.gov.ua
28 MAR Cyber, etc Ukraine's largest fix-line telecommunications operator hit by cyber attack Cyber, etc
28 MAR SSSCIP Ukraine Cyberattack against Ukrtelecom IT-infrastructure and recovery twitter.com/ dsszzi
28 MAR CERT-UA GraphSteel and GrimPlant, UAC-0056 cert.gov.ua
29 MAR Newsweek U.S. Airport hit with Cyberattack over Ukraine Newsweek
29 MAR ZDnet The Security Service of Ukraine (SBU) has destroyed five "enemy" bot farms engaged in activities to frighten Ukrainian citizens. In a March 28 release, the SBU said that the bot farms had an overall capacity of at least 100,000 accounts spreading misinformation and fake news surrounding Russia's invasion of Ukraine zdnet.com
30 MAR Viasat Viasat is providing an overview and incident report on the cyber-attack against the KA-SAT network, which occurred on 24 February 2022, and resulted in a partial interruption of KA-SAT's consumer-oriented satellite broadband service. viasat.com
30 MAR CrowdStrike EMBER BEAR (aka UAC-0056, Lorec53, Lorec Bear, Bleeding Bear, Saint Bear) crowdstrike.com
30 MAR CERT-UA MarsStealer, UAC-0041 cert.gov.ua
30 MAR Google TAG Curious Gorge (APT from China), COLDRIVER (APT from Russia), Ghostwriter (APT from Belarus) blog.google
30 MAR Viasat KA-SAT Network cyber attack overview viasat.com
30 MAR InQuest CloudAtlas APT group linked to a maldoc impersonating the United States Securities and Exchange Commission inquest.net
31 MAR ReverseMode VIASAT incident: from speculation to technical details reversemode.com
31 MAR SentinelLabs AcidRain IoT Wiper (ELF MIPS), connected to the VPNFilter stage 3 destructive plugin sentinelone.com
1 APR Malwarebytes UAC-0056 (aka SaintBear, UNC2589 and TA471) is a cyber espionage actor that has been active since early 2021 and has mainly targeted Ukraine and Georgia blog.malwarebytes.com
3 APR me Low-detect BlackGuard infostealer uploaded to AnyRun from Ukraine twitter.com/BushidoToken
4 APR CERT-UA UAC-0010 (Armageddon) cyberattack on Ukrainian state organizations, phishing w/ RAR -> HTA -> VBS cert.gov.ua

Access Brokers

Date Threat(s) Source
23 JAN Access broker "Mont4na" offering UkrFerry RaidForums [not linked]
23 JAN Access broker "Mont4na" offering PrivatBank RaidForums [not linked]
24 JAN Access broker "Mont4na" offering DTEK RaidForums [not linked]
27 FEB KelvinSecurity Sharing list of IP cameras in Ukraine vHUMINT [closed source]
28 FEB "w1nte4mute" looking to buy access to UA and NATO countries (likely ransomware affiliate) vHUMINT [closed source]

Data Brokers

Threat Actor Type Observation Validated Relevance Source
aguyinachair UA data sharing PII DB of ukraine.com (shared as part of a generic compilation) No TA discussion in past 90 days ELeaks Forum [not linked]
an3key UA data sharing DB of Ministry of Communities and Territories Development of Ukraine (minregion[.]gov[.]ua) No TA discussion in past 90 days RaidForums [not linked; site hijacked since UA invasion]
an3key UA data sharing DB of Ukrainian Ministry of Internal Affairs (wanted[.]mvs[.]gov[.]ua) No TA discussion in past 90 days RaidForums [not linked; site hijacked since UA invasion]
CorelDraw UA data sharing PII DB (40M) of PrivatBank customers (privatbank[.]ua) No TA discussion in past 90 days RaidForums [not linked; site hijacked since UA invasion]
CorelDraw UA data sharing DB of "border crossing" DBs of DPR and LPR No TA discussion in past 90 days RaidForums [not linked; site hijacked since UA invasion]
CorelDraw UA data sharing PII DB (7.5M) of Ukrainian passports No TA discussion in past 90 days RaidForums [not linked; site hijacked since UA invasion]
CorelDraw UA data sharing PII DB of Ukrainian car registration, license plates, Ukrainian traffic police records No TA discussion in past 90 days RaidForums [not linked; site hijacked since UA invasion]
CorelDraw UA data sharing PII DB (2.1M) of Ukrainian citizens No TA discussion in past 90 days RaidForums [not linked; site hijacked since UA invasion]
CorelDraw UA data sharing PII DB (28M) of Ukrainian citizens (passports, drivers licenses, photos) No TA discussion in past 90 days RaidForums [not linked; site hijacked since UA invasion]
CorelDraw UA data sharing PII DB (1M) of Ukrainian postal/courier service customers (novaposhta[.]ua) No TA discussion in past 90 days RaidForums [not linked; site hijacked since UA invasion]
CorelDraw UA data sharing PII DB (10M) of Ukrainian telecom customers (vodafone[.]ua) No TA discussion in past 90 days RaidForums [not linked; site hijacked since UA invasion]
CorelDraw UA data sharing PII DB (3M) of Ukrainian telecom customers (lifecell[.]ua) No TA discussion in past 90 days RaidForums [not linked; site hijacked since UA invasion]
CorelDraw UA data sharing PII DB (13M) of Ukrainian telecom customers (kyivstar[.]ua) No TA discussion in past 90 days RaidForums [not linked; site hijacked since UA invasion]
danieltx51 UA data sharing DB of Ministry of Foreign Affairs of Ukraine (mfa[.]gov[.]ua) No TA discussion in past 90 days RaidForums [not linked; site hijacked since UA invasion]
DueDiligenceCIS UA data sharing PII DB (63M) of Ukrainian citizens (name, DOB, birth country, phone, TIN, passport, family, etc) No TA discussion in past 90 days RaidForums [not linked; site hijacked since UA invasion]
Featherine UA data sharing DB of Ukrainian 'Diia' e-Governance Portal for Ministry of Digital Transformation of Ukraine No TA discussion in past 90 days RaidForums [not linked; site hijacked since UA invasion]
FreeCivilian UA data sharing DB of Ministry for Internal Affairs of Ukraine public data search engine (wanted[.]mvs[.]gov[.]ua) No TA discussion in past 90 days RaidForums [not linked; site hijacked since UA invasion]
FreeCivilian UA data sharing DB of Ministry for Communities and Territories Development of Ukraine (minregion[.]gov[.]ua) No TA discussion in past 90 days RaidForums [not linked; site hijacked since UA invasion]
FreeCivilian UA data sharing DB of Motor Insurance Bureau of Ukraine (mtsbu[.]ua) No TA discussion in past 90 days RaidForums [not linked; site hijacked since UA invasion]
FreeCivilian UA data sharing PII DB of Ukrainian digital-medicine provider (medstar[.]ua) No TA discussion in past 90 days RaidForums [not linked; site hijacked since UA invasion]
FreeCivilian UA data sharing DB of ticket.kyivcity.gov.ua No TA discussion in past 90 days FreeCivilian .onion [not linked]
FreeCivilian UA data sharing DB of id.kyivcity.gov.ua No TA discussion in past 90 days FreeCivilian .onion [not linked]
FreeCivilian UA data sharing DB of my.kyivcity.gov.ua No TA discussion in past 90 days FreeCivilian .onion [not linked]
FreeCivilian UA data sharing DB of portal.kyivcity.gov.ua No TA discussion in past 90 days FreeCivilian .onion [not linked]
FreeCivilian UA data sharing DB of anti-violence-map.msp.gov.ua No TA discussion in past 90 days FreeCivilian .onion [not linked]
FreeCivilian UA data sharing DB of dopomoga.msp.gov.ua No TA discussion in past 90 days FreeCivilian .onion [not linked]
FreeCivilian UA data sharing DB of e-services.msp.gov.ua No TA discussion in past 90 days FreeCivilian .onion [not linked]
FreeCivilian UA data sharing DB of edu.msp.gov.ua No TA discussion in past 90 days FreeCivilian .onion [not linked]
FreeCivilian UA data sharing DB of education.msp.gov.ua No TA discussion in past 90 days FreeCivilian .onion [not linked]
FreeCivilian UA data sharing DB of ek-cbi.msp.gov.ua No TA discussion in past 90 days FreeCivilian .onion [not linked]
FreeCivilian UA data sharing DB of mail.msp.gov.ua No TA discussion in past 90 days FreeCivilian .onion [not linked]
FreeCivilian UA data sharing DB of portal-gromady.msp.gov.ua No TA discussion in past 90 days FreeCivilian .onion [not linked]
FreeCivilian UA data sharing DB of web-minsoc.msp.gov.ua No TA discussion in past 90 days FreeCivilian .onion [not linked]
FreeCivilian UA data sharing DB of wcs-wim.dsbt.gov.ua No TA discussion in past 90 days FreeCivilian .onion [not linked]
FreeCivilian UA data sharing DB of bdr.mvs.gov.ua No TA discussion in past 90 days FreeCivilian .onion [not linked]
FreeCivilian UA data sharing DB of motorsich.com No TA discussion in past 90 days FreeCivilian .onion [not linked]
FreeCivilian UA data sharing DB of dsns.gov.ua No TA discussion in past 90 days FreeCivilian .onion [not linked]
FreeCivilian UA data sharing DB of mon.gov.ua No TA discussion in past 90 days FreeCivilian .onion [not linked]
FreeCivilian UA data sharing DB of minagro.gov.ua No TA discussion in past 90 days FreeCivilian .onion [not linked]
FreeCivilian UA data sharing DB of zt.gov.ua No TA discussion in past 90 days FreeCivilian .onion [not linked]
FreeCivilian UA data sharing DB of kmu.gov.ua No TA discussion in past 90 days FreeCivilian .onion [not linked]
FreeCivilian UA data sharing DB of mvs.gov.ua No TA discussion in past 90 days FreeCivilian .onion [not linked]
FreeCivilian UA data sharing DB of dsbt.gov.ua No TA discussion in past 90 days FreeCivilian .onion [not linked]
FreeCivilian UA data sharing DB of forest.gov.ua No TA discussion in past 90 days FreeCivilian .onion [not linked]
FreeCivilian UA data sharing DB of nkrzi.gov.ua No TA discussion in past 90 days FreeCivilian .onion [not linked]
FreeCivilian UA data sharing DB of dabi.gov.ua No TA discussion in past 90 days FreeCivilian .onion [not linked]
FreeCivilian UA data sharing DB of comin.gov.ua No TA discussion in past 90 days FreeCivilian .onion [not linked]
FreeCivilian UA data sharing DB of dp.dpss.gov.ua No TA discussion in past 90 days FreeCivilian .onion [not linked]
FreeCivilian UA data sharing DB of esbu.gov.ua No TA discussion in past 90 days FreeCivilian .onion [not linked]
FreeCivilian UA data sharing DB of mms.gov.ua No TA discussion in past 90 days FreeCivilian .onion [not linked]
FreeCivilian UA data sharing DB of mova.gov.ua No TA discussion in past 90 days FreeCivilian .onion [not linked]
FreeCivilian UA data sharing DB of mspu.gov.ua No TA discussion in past 90 days FreeCivilian .onion [not linked]
FreeCivilian UA data sharing DB of nads.gov.ua No TA discussion in past 90 days FreeCivilian .onion [not linked]
FreeCivilian UA data sharing DB of reintegration.gov.ua No TA discussion in past 90 days FreeCivilian .onion [not linked]
FreeCivilian UA data sharing DB of sies.gov.ua No TA discussion in past 90 days FreeCivilian .onion [not linked]
FreeCivilian UA data sharing DB of sport.gov.ua No TA discussion in past 90 days FreeCivilian .onion [not linked]
FreeCivilian UA data sharing DB of mepr.gov.ua No TA discussion in past 90 days FreeCivilian .onion [not linked]
FreeCivilian UA data sharing DB of mfa.gov.ua No TA discussion in past 90 days FreeCivilian .onion [not linked]
FreeCivilian UA data sharing DB of va.gov.ua No TA discussion in past 90 days FreeCivilian .onion [not linked]
FreeCivilian UA data sharing DB of mtu.gov.ua No TA discussion in past 90 days FreeCivilian .onion [not linked]
FreeCivilian UA data sharing DB of cg.mvs.gov.ua No TA discussion in past 90 days FreeCivilian .onion [not linked]
FreeCivilian UA data sharing DB of ch-tmo.mvs.gov.ua No TA discussion in past 90 days FreeCivilian .onion [not linked]
FreeCivilian UA data sharing DB of cp.mvs.gov.ua No TA discussion in past 90 days FreeCivilian .onion [not linked]
FreeCivilian UA data sharing DB of cpd.mvs.gov.ua No TA discussion in past 90 days FreeCivilian .onion [not linked]
FreeCivilian UA data sharing DB of hutirvilnij-mrc.mvs.gov.ua No TA discussion in past 90 days FreeCivilian .onion [not linked]
FreeCivilian UA data sharing DB of dndekc.mvs.gov.ua No TA discussion in past 90 days FreeCivilian .onion [not linked]
FreeCivilian UA data sharing DB of visnyk.dndekc.mvs.gov.ua No TA discussion in past 90 days FreeCivilian .onion [not linked]
FreeCivilian UA data sharing DB of dpvs.hsc.gov.ua No TA discussion in past 90 days FreeCivilian .onion [not linked]
FreeCivilian UA data sharing DB of odk.mvs.gov.ua No TA discussion in past 90 days FreeCivilian .onion [not linked]
FreeCivilian UA data sharing DB of e-driver[.]hsc[.]gov[.]ua No TA discussion in past 90 days FreeCivilian .onion [not linked]
FreeCivilian UA data sharing DB of wanted[.]mvs[.]gov[.]ua No TA discussion in past 90 days FreeCivilian .onion [not linked]
FreeCivilian UA data sharing DB of minregeion[.]gov[.]ua No TA discussion in past 90 days FreeCivilian .onion [not linked]
FreeCivilian UA data sharing DB of health[.]mia[.]solutions No TA discussion in past 90 days FreeCivilian .onion [not linked]
FreeCivilian UA data sharing DB of mtsbu[.]ua No TA discussion in past 90 days FreeCivilian .onion [not linked]
FreeCivilian UA data sharing DB of motorsich[.]com No TA discussion in past 90 days FreeCivilian .onion [not linked]
FreeCivilian UA data sharing DB of kyivcity[.]com No TA discussion in past 90 days FreeCivilian .onion [not linked]
FreeCivilian UA data sharing DB of bdr[.]mvs[.]gov[.]ua No TA discussion in past 90 days FreeCivilian .onion [not linked]
FreeCivilian UA data sharing DB of gkh[.]in[.]ua No TA discussion in past 90 days FreeCivilian .onion [not linked]
FreeCivilian UA data sharing DB of kmu[.]gov[.]ua No TA discussion in past 90 days FreeCivilian .onion [not linked]
FreeCivilian UA data sharing DB of mon[.]gov[.]ua No TA discussion in past 90 days FreeCivilian .onion [not linked]
FreeCivilian UA data sharing DB of minagro[.]gov[.]ua No TA discussion in past 90 days FreeCivilian .onion [not linked]
FreeCivilian UA data sharing DB of mfa[.]gov[.]ua No TA discussion in past 90 days FreeCivilian .onion [not linked]
Intel_Data UA data sharing PII DB (56M) of Ukrainian Citizens No TA discussion in past 90 days RaidForums [not linked; site hijacked since UA invasion]
Kristina UA data sharing DB of Ukrainian National Police (mvs[.]gov[.]ua) No TA discussion in past 90 days RaidForums [not linked; site hijacked since UA invasion]
NetSec UA data sharing PII DB (53M) of Ukrainian citizens No TA discussion in past 90 days RaidForums [not linked; site hijacked since UA invasion]
Psycho_Killer UA data sharing PII DB (56M) of Ukrainian Citizens No TA discussion in past 90 days Exploit Forum .onion [not linked]
Sp333 UA data sharing PII DB of Ukrainian and Russian interpreters, translators, and tour guides No TA discussion in past 90 days RaidForums [not linked; site hijacked since UA invasion]
Vaticano UA data sharing DB of Ukrainian 'Diia' e-Governance Portal for Ministry of Digital Transformation of Ukraine [copy] No TA discussion in past 90 days RaidForums [not linked; site hijacked since UA invasion]
Vaticano UA data sharing DB of Ministry for Communities and Territories Development of Ukraine (minregion[.]gov[.]ua) [copy] No TA discussion in past 90 days RaidForums [not linked; site hijacked since UA invasion]

Vendor Support

Vendor Offering URL
Dragos Access to Dragos service if from US/UK/ANZ and in need of ICS cybersecurity support twitter.com/RobertMLee
GreyNoise Any and all Ukrainian emails registered to GreyNoise have been upgraded to VIP which includes full, uncapped enterprise access to all GreyNoise products. There is a landing page for GreyNoise data at https://www.greynoise.io/viz/pulse twitter.com/Andrew___Morris
Recorded Future Providing free intelligence-driven insights, perspectives, and mitigation strategies as the situation in Ukraine evolves recordedfuture.com
Flashpoint Free Access to Flashpoint’s Latest Threat Intel on Ukraine go.flashpoint-intel.com
ThreatABLE A Ukraine tag for free threat intelligence feed that's more highly curated to cyber twitter.com/threatable
Orange IOCs related to Russia-Ukraine 2022 conflict extracted from our Datalake Threat Intelligence platform. github.com/Orange-Cyberdefense
FSecure F-Secure FREEDOME VPN is now available for free in all of Ukraine twitter.com/FSecure
Multiple vendors List of vendors offering their services to Ukraine for free, put together by @chrisculling docs.google.com/spreadsheets
Mandiant Free threat intelligence, webinar and guidance for defensive measures relevant to the situation in Ukraine. mandiant.com
Starlink Satellite internet constellation operated by SpaceX providing satellite Internet access coverage to Ukraine twitter.com/elonmusk
Romania DNSC Romania’s DNSC – in partnership with Bitdefender – will provide technical consulting, threat intelligence and, free of charge, cybersecurity technology to any business, government institution or private citizen of Ukraine for as long as it is necessary. Romania's DNSC Press Release
BitDefender Access to Bitdefender technical consulting, threat intelligence and both consumer and enterprise cybersecurity technology bitdefender.com/ukraine/
NameCheap Free anonymous hosting and domain name registration to any anti-Putin anti-regime and protest websites for anyone located within Russia and Belarus twitter.com/Namecheap
Avast Free decryptor for PartyTicket ransomware decoded.avast.io
Recorded Future Insikt Group’s list of indicators of compromise associated with threat actors and malware related to the Russian cyber actions against Ukraine recordedfuture.com
CybelAngel CybelAngel offers its services to interested NGOs active in the war at no cost, to minimize the risks of their missions being interrupted by cyber attacks. CybelAngel also offers Ukrainian companies an assessment of their digital exposure in the region at no charge. cybelangel.com
Malware Patrol Free 6 months DNS Firewall service subscription for Ukraine-based companies and goverment entities www.linkedin.com
UnderDefense UnderDefense is providing Managed Detection & Response services and incident repsonse support for Ukrainian critical infrastructure & government consulting in cybersecurity underdefense.com

Vetted OSINT Sources

Handle Affiliation
@KyivIndependent English-language journalism in Ukraine
@IAPonomarenko Defense reporter with The Kyiv Independent
@KyivPost English-language journalism in Ukraine
@Shayan86 BBC World News Disinformation journalist
@Liveuamap Live Universal Awareness Map (“Liveuamap”) independent global news and information site
@DAlperovitch The Alperovitch Institute for Cybersecurity Studies, Founder & Former CTO of CrowdStrike
@COUPSURE OSINT investigator for Centre for Information Resilience
@netblocks London-based Internet's Observatory

Miscellaneous Resources

Source URL Content
PowerOutages.com https://poweroutage.com/ua Tracking PowerOutages across Ukraine
Monash IP Observatory https://twitter.com/IP_Observatory Tracking IP address outages across Ukraine
Project Owl Discord https://discord.com/invite/projectowl Tracking foreign policy, geopolitical events, military and governments, using a Discord-based crowdsourced approach, with a current emphasis on Ukraine and Russia
russianwarchatter.info https://www.russianwarchatter.info/ Known Russian Military Radio Frequencies
UT CREEES https://liberalarts.utexas.edu/slavic/resources/ukraine-conflict-resources.php Compiled resources to help understand the Russian invasion of Ukraine, with links to resources, action items, and academic sources

Note:

Curated Intel does not support, encourage, partake, or condone hacking, attacking or targeting users of any kind. This information is clearly meant to help cybersecurity teams supporting Ukraine still doing their jobs while dealing with the Russian invasion.