Microsoft Details Recent Damaging Malware Attacks on Ukrainian Organizations

Several organizations in Ukraine were hit last week in a destructive, probably nation-state-sponsored malware operation designed to make targeted systems completely useless.

Two-stage malware resembles ransomware on the surface. But it has no recovery mechanism and is instead designed to overwrite the Master Boot Record (MBR) and the contents of specific files on infected systems, Microsoft said Friday.

The attacks prompted the US Cybersecurity and Infrastructure Security Agency (CISA) to issue a statement on January 18 urging US organizations to be vigilant against cyber attacks that could result in serious damage to critical features.

Researchers from Microsoft observed the malware – called WhisperGate – first appeared on January 13 and have since identified it on dozens of systems belonging to government, information technology and non-profit organizations based in Ukraine. The total number of organizations that have been affected by the malware is still unclear. But it is almost certain that there are more victims than have been identified so far, Microsoft said.

The malicious activity that Microsoft observed is part of a broader wave of attacks last week that shut down government websites and disrupted the operations of several organizations in Ukraine. No group has claimed credit for the attacks, and so far at least few have publicly attributed any threat or state sponsor to them.

But many believe that the attacks in Ukraine were probably carried out by Russian agents and are a manifestation of the current tense struggle between the two countries. Back in December 2015, during a similarly tense period between Russia and Ukraine, threatening actors from the former launched a series of cyber attacks that removed part of Ukraine’s electricity grid and caused blackouts in some regions of the country.

Chris Morgan, senior intelligence analyst for cyber threats at Digital Shadows, says it is not unreasonable to link the attacks to Russia.

“The attacks fit into a consistent model often used by threat actors in Russia, which have previously implemented hybrid warfare tactics involving the use of cyber attacks prior to movements of its military land forces,” Morgan said. “This has included cyber attacks against Georgia prior to the conflict over South Ossetia in 2008, during the annexation of Crimea in 2014, and the destructive malware used in the Petya and MeDoc attacks on Ukraine in 2017.”

Destruction as a priority
Microsoft described WhisperGate as a unique two-step malware that exploits a publicly available tool called Impacket, which threat actors often use for remote execution and lateral motion. The first phase of malware is located in various folders and overwrites the MBR code that tells the computer how to load the operating system – with a ransom note. The release note contains an unprecedented Bitcoin wallet address and an account ID for encrypted communications, allegedly for victims to use to make a payment. However, the sole purpose of the malware is to corrupt the MBR and other files that it is targeting on infected devices, Microsoft said.

WhisperGate’s Phase Two component is a malware download hosted on a Discord channel. The malware is designed to corrupt files in certain folders on a compromised system with specific file extensions such as .backup, .bak, .jpeg, .java, .jar, .rtf, .sav and .xltm. When the malware encounters files with these extensions – and more than a hundred other extensions – it immediately overwrites the file and then renames each one with a random 4-byte extension.

The threat actor’s goal of using malware seems to be to make as many systems as unusable as possible and to make recovery difficult.

“This has probably been done to introduce challenges to the daily activities of Ukrainian citizens, while also to delegitimize the authority of the Government of Ukraine,” Morgan said.

John Bambenek, chief threat hunter at Netenrich, says basic security hygiene is essential to protect against such attacks.

“Ultimately, any measure designed to prevent malware will work here,” Bambenek says. “Whether an attacker wants to implement ransomware, a RAT or MBR malware, you have a malware problem at its core.” Beyond that, he adds, a business continuity and disaster recovery plan is crucial, so there is a plan in place for service recovery.


Leave a Reply

Your email address will not be published.