Skip to content

Ukrainian education sites are bearing the brunt of pro-Russia hackers

  • by
  • 3 min read

Cybersecurity firm Wordfence, responsible for some 8320 WordPress sites’ security in Ukraine, has reported a significant rise in the number of cyberattacks on Ukrainian sites ever since the Russian invasion started. 144,000 attacks were reported on February 25 alone. 

The attacks are primarily focused on academic websites, especially on a subset of 376 academic websites, which were attacked 209,624 times between February 25 and 27. These coordinated attacks have compromised 30 Ukrainian university websites, resulting in complete defacing and service unavailability. 

Ukrainian education sites are bearing the brunt of pro-Russia hackers
All attacks on .UA domain WordPress sites from January 28 to February 28. | Source: Wordfence

Wordfence reports that these numbers only include attacks on WordPress sites that the company protects. In their report, the word ‘attack’ also refers to a sophisticated exploit attempt and doesn’t include brute-forcing or DDoS attacks. 

In the News: Android app caught delivering data-stealing trojan to thousands of people

A war on all fronts

Wordfence has narrowed down four IP addresses attacking .EDU.UA websites during their two-day monitoring window. One of these IP addresses is a .EDU.UA server which seems to have been compromised and instructed to attack other servers in the country has launched 1991 attacks.

Ukrainian education sites are bearing the brunt of pro-Russia hackers
All attacks from the IP in February | Source: Wordfence

The company logged over 7000 IP addresses, but apart from the top four, every other IP accounted for less than 100 attacks. was the biggest offender with over six times the attacks of the second-highest offender. Wordfence has identified as a pro-Russian group called ‘theMx0nday’. The group also posted evidence of their activity at Zone-H, a defacement aggregator.

Further investigation reveals that the group is based in Brazil but has routed its attacks through Finnish IPs using Njalla, an anonymous internet service provider. The group is known for previously hacking Argentinian, Brazilian, Indonesian, Spanish, Turkish and US websites. 

Ukrainian education sites are bearing the brunt of pro-Russia hackers
The activity posted on zone-H by the attacking group. | Source: Wordfence

Wordfence is countering these attacks by deploying real-time threat intelligence for all their customers regardless of their subscription tier, a feature previously reserved for premium customers. The feed will be activated for all WordPress websites under them until further notice, making them much more secure against attacks like this. 

IP addresses used in the attack have already been added to all associated blocklists, which keep updating to accommodate any new IPs that attack monitored domains. Additionally, the company is also pushing new firewall rules to its websites straightaway, a process that previously took about 30 days. 

In the News: Russia faces massive tech sanctions as it continues threatening Ukraine

Yadullah Abidi

Yadullah Abidi

Yadullah is a Computer Science graduate who writes/edits/shoots/codes all things cybersecurity, gaming, and tech hardware. When he's not, he streams himself racing virtual cars. He's been writing and reporting on tech and cybersecurity with websites like Candid.Technology and MakeUseOf since 2018. You can contact him here: