For weeks, The world of cybersecurity is preparing for a devastating hack that could accompany or portend a Russian invasion of Ukraine. Now it seems that the first wave of these attacks has arrived. Although small on a small scale so far, the campaign uses techniques that hint at a repeat of Russia’s massively destructive cyber warfare campaign, which has paralyzed Ukraine’s government and critical infrastructure in recent years.
Data-destroying malware posing as ransomware, hitting computers at Ukrainian government agencies and related organizations, security researchers at Microsoft said on Saturday night. The victims include an IT company that runs a collection of websites, the same ones that hackers disfigured with an anti-Ukrainian message early Friday. But Microsoft also warned that the death toll could still rise as malware for wipers was found on more networks.
Viktor Zhora, a senior official at Ukraine’s cybersecurity agency known as the State Service for Special Communications and Information Protection, or SSSCIP, said he first heard about ransomware reports on Friday. Administrators found that the computers were locked and displayed a $ 10,000 bitcoin message, but the machines’ hard drives were irreversibly damaged when an administrator restarted them. He says SSSCIP only detected malware on a handful of machines, but also that Microsoft warned Ukrainians that there was evidence that the malware had infected dozens of systems. As of Sunday morning, ET appears to have tried to pay the ransom in full.
“We’re trying to see if this has to do with a bigger attack,” Jora said. “This may be the first phase, some of the more serious things that may happen in the near future. That is why we are very worried.”
Microsoft warns that when a computer infected with fake ransomware restarts, the malware overwrites the computer’s master boot record, or MBR, hard disk information that tells the computer how to boot its operating system. It then launches a file corruption program that overwrites a long list of file types in specific directories. These destructive techniques are unusual for ransomware, notes the Microsoft blog post, given that they are not easily reversible if the victim pays a ransom. Neither the malware nor the ransom message appears to be personalized for each victim in this campaign, suggesting that the hackers had no intention of tracking down victims or unlocking the machines of those who paid.
Both the destructive techniques of the malware, as well as its false ransom message, carry ominous reminders of data-erase cyberattacks carried out by Russia against Ukrainian systems from 2015 to 2017, sometimes with devastating results. During the waves of attacks in 2015 and 2016, a group of hackers known as Sandworm, later identified as part of Russia’s military intelligence GRU, used malware similar to the type identified by Microsoft to wipe out hundreds of computers. in the Ukrainian media, electric utilities, railway system and government agencies, including its treasure and pension fund.
These targeted disruptions, many of which used similar fake ransom messages in an attempt to confuse investigators, culminated in the release of Sandworm’s NotPetya worm in June 2017, which was automatically distributed from machine to machine within networks. Like the current attack, NotPetya overwrote the boot records along with a list of file types, paralyzing hundreds of Ukrainian organizations, from banks to hospitals in Kiev to the Chernobyl surveillance and cleanup operation. Within hours, NotPetya spread around the world, eventually causing a total of $ 10 billion in damage, the most costly cyber attack in history.
The advent of malware, which even vaguely resembles these earlier attacks, has heightened concerns in the global cybersecurity community, which has already warned of a data-devastating escalation amid tensions in the region. Security firm Mandiant, for example, on Friday released a detailed guide to strengthening IT systems against potential destructive attacks of the kind Russia has carried out in the past. “We specifically warned our customers about a devastating attack that appears to be ransomware,” said John Hultqvist, who led Mandiant’s threat intelligence.
Microsoft was careful to point out that there was no evidence of any known hacker group’s responsibility for the new malware it discovered. But Hultquist says it can’t help but notice the similarities between the malware and the destructive wipers used by Sandworm. The GRU has a long history of sabotage and disturbances in the so-called Russian “near abroad” of the former Soviet states. In particular, Sandworm has a history of intensifying its destructive hacking in times of tension or active conflict between Ukraine and Russia. “In the context of this crisis, we expect the GRU to be the most aggressive actor,” Hultqvist said. “This problem is their wheelhouse.”