In a blog post Monday, Microsoft president and vice-chair Brad Smith claimed the company had detected destructive malware in Ukraine just hours before Russia's invasion on Feb. 24.
"One of our principal and global responsibilities as a company is to help defend governments and countries from cyberattacks. Seldom has this role been more important than during the past week in Ukraine, where the Ukrainian government and many other organizations and individuals are our customers," he wrote.
Microsoft has dubbed the malware FoxBlade. Smith said that Microsoft immediately alerted the Ukrainian government of the finding and have provided advice since. Smith also said definitions were added to Microsoft Defender within three hours of discovery.
Microsoft Security Intelligence lists two components named FoxBlade, both listed as "severe" and posted last week. FoxBlade.A is listed as a trojan that could be used for DDoS attacks. FoxBlade.B is a downloader, presumably used to install component A. FoxBlade is listed separately from HermeticWiper, wiper malware also discovered immediately before Russia began its military assault.
Smith said FoxBlade targeted specific victims and was unlikely to have caused the kind of widespread havoc of NotPetya, wiper malware launched by Russia in 2017 sent indiscriminately to systems throughout Ukraine and that rapidly spread throughout the world.
"We remain especially concerned about recent cyberattacks on Ukrainian civilian digital targets, including the financial sector, agriculture sector, emergency response services, humanitarian aid efforts, and energy sector organizations and enterprises. These attacks on civilian targets raise serious concerns under the Geneva Convention, and we have shared information with the Ukrainian government about each of them," wrote Smith.
For Nathan Einwechter, director of security research at the AI cybersecurity company Vectra, an important distinction of the FoxBlade malware is that it's installed to enable a DDoS attack. Einwechter said any individual or organization may be a target to be used to degrade internet access within Ukraine or other targets of interest by Russia.
"DDoS attacks are amongst the simplest to launch, particularly when compared to the expertise and efforts required to breach the networks and/or systems of a specific target directly," Einwechter said via email. "Russian state threat groups have been known to use attacks like this (or ransomware attacks) to act as a distraction to hide more direct attempts to breach target systems."