For many weeks, The cybersecurity world is prepared for destructive attacks that could accompany or simulate a Russian invasion of Ukraine. Now, the first wave of those attacks seems to have arrived. Although so far on a small scale, the campaign uses techniques that suggest a Russian rerun Mass Disruption Campaign of Cyber War crippled Ukraine’s government and vital infrastructure over the years.
Data-destroying malware, masquerading as ransomware, has hit computers in Ukrainian government agencies and related organizations, security researchers at Microsoft say saturday night. The victims included an IT company that managed a collection of websites, like the ones that hackers smeared with an anti-Ukrainian message early on Friday. But Microsoft also warned that the number of victims could still grow as wiper malware is discovered on more networks.
Viktor Zhora, a senior official at Ukraine’s cybersecurity agency known as the State Service for the Protection of Special Communications and Information, or SSSCIP, said that he first started hearing about the messages. ransomware on Friday. Administrators found locked PCs and displayed a message asking for $10,000 in Bitcoin, but the machine’s hard drive was unrecoverable when the administrator restarted them. He said that SSSCIP had only found malware on a handful of machines, but Microsoft had also warned Ukrainians it had evidence of malware that had infected dozens of systems. As of Sunday morning ET, one person appears to have been trying to pay the ransom in full.
“We’re trying to see if this is related to a larger attack,” said Zhora. “This could be an early stage, part of something more serious that could happen in the near future. That’s why we’re so worried.”
Microsoft warns that when a PC infected with fake ransomware is restarted, the malware overwrites the computer’s master boot record, or MBR, the information on the hard drive that tells the computer how to load the operating system. its. It then runs a file corruption program that overwrites a long list of file types in certain directories. Those destructive techniques are unusual for ransomware, the Microsoft blog post noting that they are not easily reversed if the victim pays the ransom. Neither the malware nor the ransom message appeared customized for each victim in this campaign, suggesting that the hackers had no intention of spying on victims or cracking the payers’ machines.
Both the malware’s destructive techniques, as well as its fake ransomware message, carry eerie reminders of wipe data of Russian cyberattacks on Ukrainian systems between 2015 and 2017, sometimes with devastating results. During the 2015 and 2016 attacks, a hacker group known as Sandworm, which is then determined to be part of Russian military intelligence agency GRU, used malware similar to the one Microsoft identified to wipe out hundreds of PCs inside Ukraine’s media, electrical utilities, railway systems, and government agencies, including both the Treasury and their pension funds.
Those targeted interruptions, many of which used similar fake ransomware messages in an attempt to confuse investigators, culminating in Sandworm releases NotPetya worm in June 2017, spreading automatically from one machine to another in the network. Like this current attack, NotPetya overwrote master boot records along with a list of file types, crippling hundreds of Ukrainian institutions, from banks to Kyiv hospitals to surveillance operations and cleanup Chernobyl. Within hours, NotPetya had spread around the world, eventually causing a total loss of up to 10 billion USD, making it the most expensive cyberattack in history.
The emergence of malware that even closely resembles previous attacks has raised alarm in the global cybersecurity community, which has warned of an escalation of data sabotage causing stress in the region. area. For example, security firm Mandiant released a detailed guide on Friday to fortify IT systems against potentially destructive attacks of the kind that Russia has carried out in the past. “We have specifically alerted our customers to a destructive attack that appears to be ransomware,” said John Hultquist, Mandiant’s head of threat intelligence.
Microsoft has been careful to point out that it has no evidence of responsibility by any known hacker group for the new malware it discovered. But Hultquist says he couldn’t help but notice the malware’s similarities to the destructive wipers Sandworm uses. The GRU has a long history of carrying out acts of sabotage and disruption in the so-called “near foreign” countries of Russia. And especially Sandworm has a history of launching destructive attacks at times of tension or vibrant conflict between Ukraine and Russia. “Amid this crisis, we expect the GRU to be the most active actor,” said Hultquist. “The problem is their wheelhouse.”
