Ukraine invasion: WordPress-hosted university websites hacked in ‘targeted attacks’

Jessica Haworth on March 2, 2022 at 2:48 PM UTC

Updated: March 2, 2022 2:50 PM UTC

Educational institutions hit by more than 100,000 attacks in 24 hours

At least 30 Ukrainian university websites have been hacked in a targeted attack believed to have been launched in support of the Russian invasion of the European country.

In a report released last night (March 1), Wordfence researchers said the company witnessed a “massive attack” on Ukrainian educational institutions by threat actors identified as the “Monday Group”, which it said publicly supported recent Russian actions.

The group, whose members refer to themselves as “the Mx0nday”, has targeted WordPress-hosted sites more than 100,000 times since February 24, when Russian troops officially invaded Ukraine.


A blog post by Wordfence founder and CEO Mark Maunder explains that the company protects more than 8,000 websites in Ukraine, including those belonging to more than 300 academic institutions. It also provides support for government, military and police websites.

The security firm said it witnessed a spike of 144,000 web attacks on Feb. 25, a day after the kinetic attack began, Maunder says.

“The spike is around three times the number of daily attacks from the beginning of the month on the Ukrainian websites we protect,” he wrote.

Learn about the latest security news from Russia

Maunder added: “An attacker was making a concerted effort to attack universities in Ukraine, and they started immediately after the Russian invasion began.”

An investigation into the attacks identified four IP addresses behind the campaign, which are routed through a Sweden-based VPN service.

The hacking group also appears to have ties to Brazil, where Wordfence claimed it was based.

However, the people behind the incident have not yet been publicly identified.

Destructive campaign

The report follows new research from ESET, which indicates that several malware families are now being used in targeted attacks against Ukrainian organizations.

A ESET blog post detailed that on February 23, a “destructive campaign” using HermeticWiper targeted multiple organizations.

READ MORE Data wiper deployed in cyberattacks targeting Ukrainian systems

The attack used at least three components; HermeticWiper, which renders a system unusable by corrupting its data; HermeticWizard, which broadcasts HermeticWiper over a local network via WMI and SMB; and HermeticRansom, ransomware written in Go.

“This cyber-attack preceded the start of the invasion of Ukraine by Russian Federation forces by hours,” the blog read.

“Malware artifacts suggest the attacks had been planned for several months.”

HermeticWiper has been observed “on hundreds of systems in at least five Ukrainian organizations”, claims ESET, which noted that it found no tangible link to any known threat actor.

DO NOT MISS EU countries offer cyber defense assistance to Ukraine

Esther L. Gunn