Ukraine Crisis Resource Center

Mandiant believes the Russian invasion of Ukraine has increased the cyber threat to our customers and community. Mandiant has created a task force and initiated a Global Event to track this situation and provide updated insights and guidance to our customers.

See the Latest Threat Analysis

Mandiant is committed to supporting our customers and community affected by the Russian invasion of Ukraine. We have seen significant cyber threat activity and are urging defenders to remain vigilant. Our intelligence and expertise are available to assist organizations with proactive measures.

Special Report

Fog of War: How the Ukraine Conflict Transformed the Cyber Threat Landscape

One year since Russia invaded Ukraine, we continue to see cyber operations play a prominent role in the war. To provide more insights into the role of cyber, we released a special report based on analysis from Google’s Threat Analysis Group (TAG), Mandiant, now part of Google Cloud, and Google Trust & Safety. The report encompasses new findings, and retrospective insights, across government-backed attackers, information operations (IO) and cybercriminal ecosystem threat actors. It also includes threat actor deep dives focused on specific campaigns from 2022.

Special Briefing

Anticipating and Preparing for Russian Cyber Activity

Alongside the continued tensions between Russia and Ukraine is the potential for increased cyber threat activity. Given historical Russian campaigns against Ukrainian and western targets, what might such activity look like now? Understand how these threats might evolve in the near future and how organizations can harden their infrastructure against destructive attacks. In particular this briefing covers:  

  • An overview of the Russian cyber capability, including actors who are likely to be employed currently and in future operations. 
  • The targeting and TTPs to watch for from some of the notable threat clusters, such as Sandworm Team. 
  • A close look at aggressive cyberattack and information operations which are more likely in the event of conflict. 
  • Steps organizations can proactively take to harden their environment against destructive attacks. 

Presenters: Join John Hultquist, Vice President – Mandiant Threat Intelligence and Matthew McWhirt, Managing Director – Mandiant Consulting 


Linux Endpoint Hardening to Protect Against Malware and Destructive Attacks

Linux is becoming a prime target because it is used as the operating system for basic household items up to critical infrastructure. This paper provides recommendations to protect Linux endpoints from adversarial abuse.

Distributed Denial of Service (DDoS) Protection Recommendations 

As the crisis escalates so does the potential of DDoS attacks. This guide outlines the different types of DDoS events and the protection recommendations.

Proactive Preparation and Hardening to Protect Against
Destructive Attacks

Our latest paper includes hardening and detection guidance to protect against a destructive attack or other security incident within your environment.

How Mandiant Can Help

Mandiant provides numerous offerings to help address the potential threat activity associated with the Russian invasion of Ukraine.

finger on keyboard

Actions to take now:

Stay on top of the evolving situation and associated threats with a free Mandiant Advantage Threat Intelligence subscription.

Identify evidence of past or ongoing attack activity with a compromise assessment. The threat hunt will provide insight into attacker attribution and motivation so organizations know if they are being targeted.

Stop emerging threats before they impact your IT or OT environments with monitoring, proactive threat hunting and response provided by Managed Defense experts specializing in IT-OT security. 

Prepare Your Defenses

✓ See how your organization looks to Russian attackers with free
Attack Surface Management to quickly find infrastructure, applications, cloud instances, and data that might be vulnerable across your attack surface and then take action to secure it. 

✓ Know whether your critical data is at risk and how easily it may be obtained by a malicious actor with a Red Team Assessment. The Mandiant red team uses any non-destructive methods necessary to accomplish a set of jointly agreed upon mission objectives while simulating attacker behavior. 

✓ Learn the Fundamentals of Industrial Control Systems (ICS) Security with expert training provided through Mandiant Academy. 

✓  Harden your ICS/OT environment with Penetration Testing and Healthchecks: Systematically test your environment to identify ICS and OT security vulnerabilities, misconfigurations, flaws and threats specific to your industrial process. 

✓ Quickly test your environment for security effectiveness against Russian threat actors TTPs associated with recent Russia/Ukraine cyber activity with Security Validation. Validation Security Content Packs are available now to all Validation customers and continuously updated as more intelligence becomes available.  

Respond to an Attack

✓ Automatically detect IOCs of Russian threat actors (like Sandworm, APT 28, and TEMP.Armageddon) with Automated Defense.  Automated Defense supports different operational technology security controls, as well as traditional cybersecurity tools.  


✓ Minimize the impact of an attack and reduce incident response time and minimize the impact of a security incident with an Incident Response Retainer and the Incident Response Preparedness Service. Mandiant teams include ICS/OT specialists to respond to incidents in these environments. 



Mandiant Advantage Threat Intelligence Reports


UNC2589 Targets Ukrainian Energy Infrastructure and Government Agencies
UNC2589 likely targeted Ukrainian energy infrastructure and government agencies using police and medical related lure material.

*Free Access


GOOSECHASE, FINETIDE, and MARSSTEALER Leveraged Against Transportation and Government Industries in Europe; Possible Link to UNC2589
In mid-February 2022, Mandiant Threat Intelligence uncovered a new spear-phishing campaign targeting the government and civil aviation industries in Europe. In addition to using the publicly available GOOSECHASE downloader and FINETIDE payload, this campaign deployed MARSSTEALER, a commercially available credential stealer.


*Paid Subscription


Responses to Russia's Invasion of Ukraine Likely to Spur Retaliation
Mandiant Threat Intelligence assesses with moderate confidence that Russia will conduct additional destructive or disruptive cyber attacks connected to the crisis in Ukraine. Russian cyber attacks almost certainly will focus first on Ukraine, with Western/NATO allies also being possible targets.

*Free Access


TEMP.Armageddon Continues Campaigns Targeting Ukraine
Mandiant Threat Intelligence identified additional malicious macro documents and LNK files associated with TEMP.Armageddon

*Free Access



New Master Boot Record Wiper Targets Ukraine, Defacements of Ukrainian Government Websites.

*Paid Subscription



UNC2452 Targets European Diplomatic Entities with New Downloaders BEATDROP and BOOMMIC to Deploy BEACON

*Free Access



Ukrainian Government Websites Defaced with Threatening Messages, No Claimed Attribution 
Report on defacement of Ukrainian government websites 

*Free Access


Ukraine's Exposure of Alleged TEMP.Armageddon Actors Unlikely to Significantly Alter Its Cyber Espionage Activity Against Ukraine 
Summary of Mandiant reporting on TEMP.Armageddon, alongside SBU (Ukrainian) public indictment of Armageddon actors 

*Paid Subscription


Cyber Operations Likely Part of Any Escalation Against Ukraine 
Historical context regarding Russian cyber attacks against Ukraine and other nations. 

*Paid Subscription


Polish Entity Targeted with MICROBACKDOOR Variant

*Free Access


Cyber Threat Actors Announce Threats and Attacks Against Critical Infrastructure in Response to Russia/Ukraine Conflict
In response to the Russia/Ukraine conflict, various cyber threat actor groups have been announcing sides and possible threats of action against various parties. Mandiant Threat Intelligence observed some activity with implications for critical infrastructure and operational technology (OT).

*Free Access


Threat Activity Alert: Suspected UNC1151 Activity Targeting Ukrainian Government Using MICROBACKDOOR and Bombardment Sheltering Guideline Lure
Mandiant Threat Intelligence discovered new activity targeting Ukrainian government entities using MICROBACKDOOR and a lure titled “What to do? During artillery shelling by volley fire systems.”

*Paid Subscription


NEARMISS, New Master Boot Record Wiper Targets Ukraine, Defacements of Ukrainian Government Websites
On Feb. 23, a new wiper malware was deployed against multiple targets in Ukraine. Mandiant is tracking this malware as NEARMISS. The malware wipes the master boot record (MBR) of the computer it is executed on, rendering it inoperable.

*Free Access


TEMP.Armageddon Likely Targets Ukrainian Government Officials with Russia-Ukraine Conflict-Themed Lure Content Mandiant Threat Intelligence uncovered a TEMP.Armageddon campaign leveraging lure message content related to the ongoing Russian invasion of Ukraine against what are likely Ukrainian government officials.

*Free Access


Threat Activity Alert: Hacktivist Actor 'CyberPartisans' Claimed to Compromise the ODS Database of Belarus’ Ministry of Internal Affairs 
Translated hacktivist group's message lists officials and their involvement. 

*Paid Subscription


Pro-Russian 'Secondary Infektion' Operations Promote Narratives Targeting Ukraine Amid Russian Military Escalation
Pro-Russian influence campaign targets Ukraine in an effort to undermine Ukrainian and Russian relations as well as negatively impact Ukrainian public opinion of Germany and Poland.

*Paid Subscription


Threat Activity Alert: Cyber Attack On Ukrainian Government Sites 
Details on affected victim sites and researcher comments regarding the operation. 

*Paid Subscription



Cyber Operations Likely Part of Any Escalation Against Ukraine
Mandiant Threat Intelligence is monitoring the escalating tension between Ukraine and Russia and looking for reflections of increased cyber threat activity from Russian state-sponsored actors as a result.

*Free Access


Documents Exploiting Remote Template Injection Target Moldova, Austria, Malaysia, India, and Ukraine; Weak Links to Previous Russia-Nexus Activity

*Free Access

Focus on the threats that matter now with Mandiant Threat Intelligence

This SaaS-based solution gives organizations of all sizes up-to-the-minute, relevant cyber threat intelligence so you set your defenses knowing who’s likely to attack and what tools they will use.  

Reduce incident response time and minimize impact

Retain Mandiant incident response experts to enable faster response to cyber incidents. Mandiant incident response helps resolve all aspects of cyber breaches with industry-leading expertise, including thorough technical investigation, containment and recovery. 

Have more Questions? Let's Talk.

Mandiant experts are ready to answer your questions.