For weeks, the cybersecurity world has braced for destructive hacking that might accompany or presage a Russian invasion of Ukraine. Now, the first wave of those attacks appear to have arrived. While so far on a small scale, the campaign uses techniques that hint at a rerun of Russia's massively disruptive campaign of cyberwar that paralyzed Ukraine's government and critical infrastructure in years past.
Data-destroying malware, posing as ransomware, has hit computers within Ukrainian government agencies and related organizations, security researchers at Microsoft said Saturday night. The victims include an IT firm that manages a collection of websites, the same ones that hackers defaced with an anti-Ukrainian message early on Friday. But Microsoft also warned that the number of victims may still grow as the wiper malware is discovered on more networks.
Viktor Zhora, a senior official at Ukraine's cybersecurity agency, known as the State Services for Special Communication and Information Protection, or SSSCIP, says that he first began hearing about the ransomware messages on Friday. Administrators found PCs locked and displaying a message demanding $10,000 in bitcoin, but the machines' hard drives were irreversibly corrupted when an admin rebooted them. He says SSSCIP has only found the malware on a handful of machines, but also that Microsoft warned the Ukrainians it had evidence the malware had infected dozens of systems. As of Sunday morning ET, one appears to have attempted to pay the ransom in full.
"We're trying to see if this is linked to a larger attack," says Zhora. "This could be a first phase, part of more serious things that could happen in the near future. That’s why we’re very worried."
Microsoft warns that when a PC infected with the fake ransomware is rebooted, the malware overwrites the computer's master boot record, or MBR, information on the hard drive that tells a computer how to load its operating system. Then it runs a file corruption program that overwrites a long list of file types in certain directories. Those destructive techniques are unusual for ransomware, Microsoft's blog post notes, given that they're not easily reversible if a victim pays a ransom. Neither the malware nor the ransom message appears customized for each victim in this campaign, suggesting the hackers had no intention of tracking victims or unlocking the machines of those who pay.
Both of the malware's destructive techniques, as well as its fake ransomware message, carry eerie reminders of data-wiping cyberattacks Russia carried out against Ukrainian systems from 2015 to 2017, sometimes with devastating results. In the 2015 and 2016 waves of those attacks, a group of hackers known as Sandworm, later identified as part of Russia's GRU military intelligence agency, used malware similar to the kind Microsoft has identified to wipe hundreds of PCs inside Ukrainian media, electric utilities, railway system, and government agencies including its treasury and pension fund.
Those targeted disruptions, many of which used similar fake ransomware messages in an attempt to confuse investigators, culminated with Sandworm's release of the NotPetya worm in June of 2017, which spread automatically from machine to machine within networks. Like this current attack, NotPetya overwrote master boot records along with a list of file types, paralyzing hundreds of Ukrainian organizations, from banks to Kyiv hospitals to the Chernobyl monitoring and cleanup operation. Within hours, NotPetya spread worldwide, ultimately causing a total of $10 billion in damage, the costliest cyberattack in history.
The Untold Story of NotPetya, the Code that Crashed the WorldCrippled ports. Paralyzed corporations. Frozen government agencies. Inside the most devastating cyberattack in history.
By Andy Greenberg and Excerpt
The appearance of malware that even vaguely resembles those earlier attacks has ratcheted up the alarms within the global cybersecurity community, which had already warned of data-destructive escalation given tensions in the region. Security firm Mandiant, for instance, released a detailed guide on Friday to hardening IT systems against potential destructive attacks of the kind Russia has carried out in the past. "We’ve been specifically warning our customers of a destructive attack that appeared to be ransomware," says John Hultquist, who leads Mandiant's threat intelligence.
Microsoft has been careful to point out that it has no evidence of any known hacker group's responsibility for the new malware it discovered. But Hultquist says he can't help but notice the malware's similarities to destructive wipers used by Sandworm. The GRU has a long history of carrying out acts of sabotage and disruption in Russia's so-called "near-abroad" of former Soviet states. And Sandworm in particular has a history of ramping up its destructive hacking at moments of tension or active conflict between Ukraine and Russia. "In the context of this crisis, we expect the GRU to be the most aggressive actor," Hultquist says. "This problem is their wheelhouse."
For now, any links between this newest destructive malware and Sandworm, the GRU, or even Russia remain far from certain. Before Microsoft's post detailing the new malware, the Ukrainian government had blamed a group called Ghostwriter for hacking and defacing 15 Ukrainian government websites with an anti-Ukraine message that was designed to appear to be Polish in origin. Mandiant and Google security researchers have linked Ghostwriter in the past with Belarus's intelligence services, though Mandiant has also suggested that it may work closely with the GRU.
Another Ukrainian official, deputy secretary of Ukraine's national security and defense council Serhiy Demedyuk, told Reuters that destructive malware found in connection to that defacement attack was "very similar in its characteristics" to malware used instead by APT29, also known as Cozy Bear. But that distinct hacker group is believed to be a part of Russia's SVR foreign intelligence agency, typically tasked with stealthy spying rather than sabotage. (SSSCIP's Zhora says he couldn't confirm Demedyuk's findings.) "The defacement of the sites was just a cover for more destructive actions that were taking place behind the scenes and the consequences of which we will feel in the near future," Demedyuk wrote to Reuters.
Just what the hackers behind the new wiper malware hope to accomplish isn't clear, for now. Hultquist says those intentions are difficult to divine without knowing the hackers' specific targeting. But he argues that they're very likely the same as in previous Russian cyberattacks carried out in the context of its war with Ukraine: to sow havoc, and to embarrass the Ukrainian government and weaken its resolve in a critical moment.
"If you're trying to look like a strong government, your systems going offline and your access to the internet disappearing just isn't a good look," Hultquist says. "Destructive attacks create chaos. They undercut authority and corrode institutions." Whether or not these small-scale cyberattacks show that Russia intends to start a new war in Ukraine, they look uncomfortably similar to the first shots of the last cyberwar there.