Cyber Berkut is a politically motivated hacktivist group that emerged in 2014 during the height of the Ukrainian political crisis and Russia’s annexation of Crimea. Taking its name from the disbanded Ukrainian riot police unit \"Berkut,\" the group has primarily aligned itself with pro-Russian interests, targeting Ukrainian, Western, and NATO-aligned entities. While not officially classified as a state-sponsored group, Cyber Berkut’s operations and narratives often align with Kremlin propaganda, suggesting at least informal ties to Russian intelligence or influence operations.

Motivations and Objectives

Cyber Berkut’s core motivation is ideological, positioning itself as a defender of Russian interests against what it characterizes as Western aggression, Ukrainian nationalism, and NATO expansionism. The group’s primary objectives include:

Disrupting Ukrainian political and military communications.

Undermining NATO and U.S. support for Ukraine.

Spreading disinformation that supports pro-Russian narratives.

Undermining confidence in Western democratic institutions.

Notable Campaigns

Ukrainian Election Interference (2014)

Cyber Berkut launched attacks against Ukraine’s Central Election Commission, disrupting election infrastructure and attempting to post falsified results. The attack failed, but highlighted vulnerabilities in Ukraine\'s critical systems.

NATO and U.S. Military Attacks (2014–2015)

The group conducted DDoS attacks and posted stolen documents from NATO-affiliated institutions and U.S. military contractors.

It targeted NATO exercises and released documents in an attempt to portray Western militaries as aggressors in the region.

Disinformation via Video and Leaks

Cyber Berkut has a long history of uploading falsified or selectively edited documents and videos, designed to sow discord between NATO allies or between Western populations and their governments.

Attack on German Chancellor Merkel’s Website (2015)

The group took credit for a DDoS attack on Angela Merkel’s government website following German support for Ukraine, labeling it retaliation for “anti-Russian policies.”

Tactics, Techniques, and Procedures (TTPs)

Cyber Berkut’s operations exhibit a combination of hacktivism and more sophisticated cyber techniques, including:

DDoS attacks: Used against government and military websites.

Website defacements: Often accompanied by political propaganda.

Phishing and credential harvesting: Likely aided by intelligence support.

Document leaks: Real or manipulated materials, often posted with accusatory narratives.

Media manipulation and influence ops: Targeting both Ukrainian and Western audiences via social media and fringe media outlets.

Attribution and Links to Russia

While Cyber Berkut presents itself as a grassroots Ukrainian movement, multiple cybersecurity analysts and intelligence sources have pointed to signs of coordination with Russian interests:

Use of infrastructure linked to known Russian threat actors.

Synchronized messaging with Russian state media.

Attacks timed with geopolitical events are advantageous to the Russian Federation.

Potential overlap in TTPs with APT28 (Fancy Bear), a GRU-linked threat actor.