Ransomware, Malware, Threat Management

Microsoft warns that Russian cyberattacks may extend beyond Ukraine

A protester waves a Ukrainian flag in Kyiv
Microsoft warned that Russian cyberattacks will continue against Ukraine and its supporters this winter. (Photo by Jeff J Mitchell/Getty Images)

As 2022 draws to a close and the Russian-Ukrainian conflict continues, Microsoft’s Digital Threat Analysis Center is warning that a recent ransomware-style attack on Poland and the amplification of Russian propaganda may be a preview for countries aiding Ukraine.

In a Dec. 3 blog post, Clint Watts, the general manager of Microsoft’s threat center, said wiper attacks on infrastructure by Russian-affiliated cyberthreat actors moved outside Ukraine to Poland in a “possible attempt to disrupt the movement of weapons and supplies to the front.”

"We believe these recent trends suggest that the world should be prepared for several lines of potential Russian attack in the digital domain over the course of this winter," Watts wrote.

The threat group Microsoft refers to as “Iridium,” but is also known as “Sandworm,” is singled out in the blog as being associated with Russia’s military intelligence service. Besides its history of destructive attacks against Ukraine’s energy infrastructure over nearly a decade, the blog noted that Iridium was also responsible for unleashing the 2017 NotPetya malware against Ukraine, which eventually damaged organizations worldwide.

The group has been tasked with carrying out cyberattacks against Ukraine since the conflict began in February, Watts wrote, deploying wiper malware to destroy data on networks of roughly 50 organizations, 55% of which were critical infrastructure such as energy, transportation and water. 

In October, the new Prestige ransomware was used against logistics and transportation networks in Poland and Ukraine, though with limited success.

“Early customer notifications and rapid response, including from Microsoft’s Detection and Response Team (DART) and the Microsoft Threat Intelligence Center (MSTIC), along with local incident responders in Poland, reportedly helped contain the attack’s impact to less than 20% of one targeted organization’s network,” he wrote.

However, the October cyberattack on Poland was the first on entities outside of Ukraine since the start of the Russian invasion, when malicious activity targeted Viasat's satellite KA-SAT network, which was used by the Ukrainian military.

"The Prestige event in October may represent a measured shift in Russia’s cyberattack strategy, reflecting a willingness by Moscow to use its cyberweapons against organizations outside Ukraine in support of its ongoing war."

Watts also warned that cyber-enabled influence operations targeting Europe would be conducted in parallel with cyberthreat activity.

Stephen Weigand

Stephen Weigand is managing editor and production manager for SC Media. He has worked for news media in Washington, D.C., covering military and defense issues, as well as federal IT. He is based in the Seattle area.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.