Over the weekend Microsoft said it identified a new, destructive wiper malware targeting Ukrainian organizations across multiple sectors as the prospects of a possible war with Russia looms.
The new malware, which is designed to mimic the appearance of ransomware but includes no mechanism for ransom recovery, has not been tied to any currently tracked advanced persistent threat group (APT) or nation, but was found in “dozens” of Ukrainian systems across the government, non-profit and information technology sectors.
Microsoft assesses that the malware “is intended to be destructive and designed to render targeted devices inoperable rather than retain a ransom.” The company has assigned a unique identifier to the malware and while the research doesn’t offer any details around attribution, it said it is working to share information with members of the global security community “as with any observed nation-state actor activity.”
“Given the scale of the observed intrusions, [Microsoft] is not able to assess intent of the identified destructive actions but does believe these actions represent an elevated risk to any government agency, non-profit or enterprise located or with systems in Ukraine,” the company said on its security blog. “We strongly encourage all organizations to immediately conduct a thorough investigation and to implement defenses using the information provided in this post.”
The malware was first spotted Jan. 13 and overwrites the Master Boot Record — responsible for loading the operating system — and automatically posts a ransom note demanding $10,000 in Bitcoin, offering a unique wallet number and encrypted messaging ID.
However, Microsoft’s researchers say there are several inconsistencies with past criminal ransomware campaigns, including a lack of customized ransom payloads for each victim, no evidence that files are ever actually encrypted after they are overwritten, no additional information about support websites that are commonly used to manage ransom payment and no custom ID assigned to each victim that would allow an operator to provide victim-specific decryption keys in the event of payment.
The discovery was preceded by news a day earlier that numerous Ukrainian government websites had been hacked and defaced with messages claiming to have stolen data and telling Ukrainians to “be afraid and expect the worst." It also follows a rare, high-profile raid by Russian law enforcement against members of the REvil ransomware gang, something analysts believe is intended as a message to the U.S. and a possible enticement to avoid pushing for international sanctions tied to a potential Ukrainian invasion.
Digital attacks on Ukrainian IT assets are far from the only concern. Russia has undertaken a buildup of nearly 100,000 troops on its border with Ukraine, which U.S. officials say includes a full suite of physical and digital weaponry.
“We have seen all of the advanced weaponry — artillery systems, electronic warfare systems, ammunition, et cetera — that leaves a lot of questions, begs a lot of questions about what Russia’s intentions are,” said Michael Carpenter, U.S. ambassador to the Organization for Security and Cooperation in Europe, in a press briefing last week.
The attacks and concerns have prompted U.S. and international organizations to respond with resources intended to assist Ukrainian civil society respond and defend their IT infrastructure.
Threat intelligence firm Mandiant released a free 40-page document offering guidance for hardening information systems against destructive cyber attacks, saying they are “particularly concerned that as tensions escalate, [Russia] may target organizations within and outside Ukraine.”
Organizations like the Cyber Peace Institute, a non-profit organization dedicated to promoting international stability in cyberspace, are offering a suite of free resources to Ukrainian NGOs and civil society, including pre-incident response services and resilience training, technical vulnerability assessments, compliance requests and other resources.
Stéphane Duguin, the organization’s CEO, told SC Media that they are also documenting each known cyber incident used against civilian targets in Ukraine and their impact on victims and civil society, saying the records are an important part of demonstrating the cost of cyber attacks and form a historical record to help policymakers in efforts to develop, establish and uphold international norms. USAID is in also at the beginning of a four-year program to provide funding to critical infrastructure entities in Ukraine for cybersecurity weaknesses that runs through 2024.
"So when we assist civil society, NGOs that have the potential to be attacked or after they are attacked, we look into what are their needs, and when they share data with us on the technical layer of the attack, we start finding information, forensic data that could help subsequent investigation,” said Duguin. “That data will be at some point [might] used in judicial proceedings, it could be used by a different stakeholder when it comes to other attribution efforts.”
Taylor Grossman, a senior research analyst and project manager at the Cyber Policy Institute, told SC Media that the recent attacks were another “boundary testing exercise” for President Vladimir Putin. Depending on how the situation unfolds, there is the potential for these attacks to spill over and impact other countries that may come to Ukraine’s aid or try to stymie the Russian government’s plans.
“President Biden and others have made it quite clear that certain critical industries should be off limits in cyber operations," she said. "While Putin may not have targeted U.S. industries in this round, he is playing along the edges of current cybersecurity norms that keep many civilian services off limits."