Last week, Ukraine experienced a massive cyberattack that affected around 70 government websites, including those of the Ministry of Foreign Affairs and the education ministry. A post on one of the attacked websites read, “Ukrainians! … All information about you has become public. Be afraid and expect worse. It’s your past, present and future.” The attack was mitigated quickly, with Ukraine now reporting that most of the affected websites have been restored with minimal fallout.
While the identity of the hackers has not been confirmed, officials in Ukraine strongly suspect Russia was involved and on Sunday claimed to have obtained evidence that the attack was conducted by Russian operatives. The attack occurred at a time when tensions between the two countries have reached an all-time high, with Russia massing troops on the border, which could potentially signal an imminent invasion. Kyiv claims Russia is engaging in a hybrid war that is intended “to intimidate society,” and destabilize the country by preventing access to critical services and undermining the public’s trust in Ukrainian authorities. Russia has denied any involvement in the cyberattacks.
On Saturday, Microsoft reported a dangerous new malware variant was used in the attacks which appears to be a Master Boot Record (MBR) wiper. The malware was identified on several Ukrainian government websites and executes when devices are powered down. While the malware is disguised as ransomware, there is no mechanism that will allow data to be recovered, akin to the NotPetya ransomware attacks that hit Ukraine and many other countries in 2017. The NotPetya attack in Ukraine involved the wiper malware being delivered in a supply chain attack via the MeDoc tax accounting software.
Microsoft says the malware first appeared on January 13, 2022 – the day of the attacks on the Ukrainian government websites – and was used in attacks on multiple organizations in Ukraine, including government and non-profit organizations and information technology companies. The malware is not believed to have been used in any attacks in other countries, although it will take some time before the full extent of the attacks is known. Microsoft says it is unclear how many organizations have been affected, but the detections so far are unlikely to be the last.
Microsoft was unable to tie the malware to any existing Advanced Persistent Threat (APT) group and is tracking the activity as being conducted by a new group, which Microsoft tracks as DEV-0586. The malware has been dubbed WhisperGate by Microsoft.
According to Oleh Derevianko, chairman, founder, and CVO of the cybersecurity firm ISSP, the attacks on the government websites were likely a cover for more destructing actions being taken against Ukraine. He told the Associated Press that the WhisperGate malware was delivered in a supply chain attack on the software supplier KitSoft. What is not yet known at this stage of the investigation is what other actions the attackers have achieved, nor what else is being planned.