On 24 February, our research uncovered that several Ukrainian government websites that were targeted on 23 February by DDoS attacks also subsequently displayed defacement messages in Russian, Ukrainian and Polish. These claimed that material stolen from the victims was being published, linking to a dark web (.onion) domain hosting the data. The defaced websites contained nearly identical graphics to the ones displayed on the Ukrainian government websites that were defaced on 15 January, with the new addition of FreeCivilian’s leak website as “proof” of the leaked data. This wave of defacements comes as Russia escalates its ground invasion of Ukraine, shortly after recognizing the independence of separatist states in the Donbas region.
Despite FreeCivilian’s claim to be an independent cybercriminal, we assess that this has likely operation has been conducted or supported by a nation-state actor, because:
- Messages left on defaced websites on 23 February strongly resemble those left on defaced websites on 15 February, which were attributed to UNC1151 and the GRU by the Ukrainian and UK governments respectively.
- The lack of extortion tactics and the publishing of significant amounts of free data suggests that the actor’s objective is to disrupt Ukrainian government websites regardless of monetisation.
- Metadata from the platform on which the stolen data is hosted demonstrates that files were uploaded as early as 20 February, placing FreeCivilian’s intrusion before the DDoS, and wiper malware attacks on 23 February. This may indicate a level of coordination with the actors behind the latter.
Figure 1: Defaced Cabinet Ministers website on 23 February
Figure 2: Dark web portal for FreeCivilian leaks
The onion domain leads to the website of Free Civilian, who is actively selling and uploading new databases obtained from over 45 government websites. Some of the individual databases are up to 3 TB in size.
According to Free Civilian, the data includes:
- Data from the government’s digital services
- Scans of passports, driver’s licenses
- Correspondence of government employees
- Data from the health and interior ministries
- Digital services, identification and ticketing documents from the city of Kiev
Figure 3: List of Ukrainian government websites
While attempting to download and verify the data, FreeCivilian’s account on the hosting platform was suspended, hindering our verification process. We will update this post with further details if the data is re-uploaded.
FreeCivilian has previously attempted to sell leaked data obtained from Ukrainian government departments on dark web forums. On January 21, they claimed to have gained access to over 15 million records. This included personal data obtained from Diia, a digital services app launched in March 2021 by the Ukrainian government.
According to a statement on their website, FreeCivilian tried to sell the stolen data on RaidForums (a popular forum for selling stolen data), though were subsequently banned after forum users claimed the data FreeCivilian offered was fake. This prompted FreeCivilian to establish their own leak website, which we have observed using unusually professional animations, unlike typical information-broker or ransomware leak websites on the dark web.
Figure 4: FreeCivilian’s first thread on RaidForums
Figure 5: Statement on FreeCivilian’s leak website
Figure 6: FreeCivilian’s account remains banned from the dark web forum
FreeCivilian claims that it is publishing the stolen Ukrainian government data to “earning [sic] some reputation as a data seller”, which, in addition to the attempted monetization of the stolen data, potentially paints the threat actor as a cybercriminal.
Despite this purported intent, several aspects suggest FreeCivilian is disguising their true intent.
Firstly, the defaced Cabinet Ministers website (kmu[.]gov[.]ua) containing a link to their leak website strongly resembles the defaced websites observed in the 15 January wave of DDoS attacks and defacements targeting Ukrainian government networks. The 15 January attacks were subsequently attributed by the Ukrainian government to UNC1511, a group with alleged ties to the Belarusian state according to Mandiant.  The UK government attributed the 15 January attacks to Russia’s GRU on 18 February. It is unclear whether FreeCivilian were behind the 23 February defacements themselves and re-used similar graphics as the 15 January attacks, or whether the same actors behind the first attacks simply added a link to a cybercriminal leak website as a false flag.
Secondly, whilst FreeCivilian’s leak website resembles that of Ransomware-as-a-Service (RaaS) groups operating in the region, the lack of extortion tactics and the publishing of 69.27 GB of data for free indicate that this threat actor is determined to damage Ukrainian government departments without providing opportunities to negotiate.
Third, metadata from the platform hosting the leaked data demonstrates that the threat actor uploaded the data as early as 20 February, indicating that these government department’s networks had been compromised for some time prior to the DDoS and wiper malware attacks reported by ESET on 23 February.
Figure 8: Metadata on the file hosting platform shows that leaked data was uploaded as early as 20 February
Appendix I: Timeline of events
- 13 January 2022:
- First detection of WhisperGate wiper malware on Ukrainian government networks (MSTIC)
- 14 January 2022:
- 70 Ukrainian government websites suffer from DDoS attacks, with the Ministry of Foreign Affairs’ website defaced to display a message addressing Ukrainian citizens
- 15 January 2022:
- 21 January 2022:
- FreeCivilian advertises data obtained from Diya on the dark web. Diya is the Ukrainian government’s digital services app.
- Late January / Early February:
- Following doubts expressed by forum users, FreeCivilian deletes the thread and sets up a dedicated leak website
- 18 February 2022:
- The UK Government officially attributes the January DDoS attacks to the GRU
- 23 February 2022:
- Ukrainian government websites suffer from new wave of DDoS attacks. The Cabinet of Minister’s website is defaced.
- ESET reveals that it detected the use of wiper malware on Ukranian networks, dubbing the malware “HermeticGate”.
Appendix II: Full list of websites displayed on FreeCivilian
To ensure consistency when assessing the probability of a potential threat, we use the ‘probability yardstick’ developed by the National Crime Agency’s Professional Head of Intelligence Assessment. The diagram below defines the probability ranges considered when this language is used. This terminology is consistent with that used by the UK National Cyber Security Centre.
 Assessments in this report were made using the probability yardstick, a framework for words of estimative probability (WEP) adopted by Orpheus Cyber. The probability yardstick is included at the end of this report.