Microsoft’s security team has identified a destructive malware operation targeting multiple organizations in Ukraine, including government agencies, nonprofit organizations, and information technology companies.
In its Jan. 13 security alert, Microsoft didn’t identify the attacks as coming from Russia, but it suggested the malware may be “nation-state actor activity.” Neighboring Russia has amassed about 100,000 troops on the Ukraine border, prompting fears of an invasion.
However, Microsoft said it had not found any significant links to known hacking groups.
The attacks are “unique,” Microsoft said, with the malware disguised as ransomware that generates a fake ransom note but instead attempts to wipe a computer’s master boot record, which identifies where the operating system is located and allows the computer to boot up.
“Our investigation teams have identified the malware on dozens of impacted systems, and that number could grow as our investigation continues,” Microsoft’s security team wrote. “We do not know the current stage of this attacker’s operational cycle or how many other victim organizations may exist in Ukraine or other geographic locations. However, it is unlikely these impacted systems represent the full scope of impact as other organizations are reporting.”
Microsoft said the recent attacks differ from a typical ransomware attack in several ways. For example, ransomware attacks are usually customized to each victim. But in this case, the same ransom payload hit several victims.
The attackers don’t seem to be spying for intelligence or intellectual property theft, typically common goals for nation-state attackers, said Saryu Nayyar, CEO and founder of cybersecurity vendor Gurucul.
“These threat actor groups aren’t interested in simple financial gain,” she told the Washington Examiner.
The attack, instead, appears to focus on disruption, added Saumitra Das, CTO and co-founder of Blue Hexagon, a cloud security company.
“Causing systems to go down is not beneficial to criminal gangs out to make a quick buck but very effective for nation-states as a provocation or tool used for larger aims,” he told the Washington Examiner. “Malware that extorts based on disruption does not usually make the system inoperable but merely throttles it.”
While Microsoft did not point to Russian hackers in its threat report, several other cybersecurity experts said the attacks were likely the work of the Russian government or hackers working on its behalf.
It isn’t a “substantial stretch” to associate the attacks with Russian interests, said Rick Holland, chief information security officer at Digital Shadows, a cybersecurity provider. “The ransomware ruse gives the threat actor a thin veneer of plausible deniability,” he said.
The Ukraine cyberattacks are consistent with the Russian government’s playbook, he told the Washington Examiner.
Whether the Russian government encourages hackers to attack opponents or directs the cyberattacks itself, it “seeks to disrupt government and private institutions of their geopolitical opponents,” he said. He noted that Russia had been accused of cyberattacks against Ukraine in 2014 and 2017, with the 2014 attacks preceding its annexation of Crimea.
Ukraine has blamed a Belarusian threat called UNC1151, which likely has close ties with Russia, noted Dan Desko, CEO and managing partner at cybersecurity vendor Echelon Risk + Cyber.
However, “attribution in the cyberworld is a very tough thing, even with all the data, and you can never assume things,” Desko told the Washington Examiner. “Many times, threat actors will plant false flags [or] data and use tools that point to the involvement of other threat actor groups to make it look like the attacks are coming from somewhere else.”
The attacks, though, appear to be “another tactic in the arsenal of a country on the offensive that is trying to strike fear into another country and their people,” he added. “It is a type of attack that could erode the trust in a government from a citizen’s perspective, that is for sure.”
