For weeks, the cybersecurity world has braced for destructive hacking that might accompany or presage a Russian invasion of Ukraine. Now, the first wave of those attacks appear to have arrived. While so far on a small scale, the campaign uses techniques that hint at a rerun of Russia’s massively disruptive campaign of cyberwar that paralyzed Ukraine’s government and critical infrastructure in years past.
Data-destroying malware, posing as ransomware, has hit computers within Ukrainian government agencies and related organizations, security researchers at Microsoft said Saturday night. The victims include an IT firm that manages a collection of websites, like the same ones that that hackers defaced with an anti-Ukrainian message early on Friday. But Microsoft also warned that the number of victims may still grow as the wiper malware is discovered on more networks.
Viktor Zhora, a senior official at Ukraine’s cybersecurity agency known as the State Services for Special Communication and Information Protection, or SSSCIP, says that he first began hearing about the ransomware messages on Friday. Administrators found PCs locked and displaying a message demanding $10,000 in Bitcoin, but the machines’ hard drives were irreversibly corrupted when an admin rebooted them. He says SSSCIP has only found the malware on a handful of machines, but also that Microsoft warned the Ukrainians it had evidence the malware had infected dozens of systems. As of Sunday morning ET, one appears to have attempted to pay the ransom in full.
“We’re trying to see if this is linked to a larger attack,” says Zhora. “This could be a first phase, part of more serious things that could happen in the near future. That’s why we’re very worried.”
Microsoft warns that when a PC infected with the fake ransomware is rebooted, the malware overwrites the computer’s master boot record or MBR, information on the hard drive that tells a computer how to load its operating system. Then it runs a file corruption program that overwrites a long list of file types in certain directories. Those destructive techniques are unusual for ransomware, Microsoft’s blog post notes, given that they’re not easily reversible if a victim pays a ransom. Neither the malware nor the ransom message appears customized for each victim in this campaign, suggesting the hackers had no intention of tracking victims or unlocking the machines of those who pay.
Both of the malware’s destructive techniques, as well as its fake ransomware message, carry eerie reminders of data-wiping cyberattacks Russia carried out against Ukrainian systems from 2015 to 2017, sometimes with devastating results. In the 2015 and 2016 waves of those attacks, a group of hackers known as Sandworm, later identified as part of Russia’s GRU military intelligence agency, used malware similar to the kind Microsoft has identified to wipe hundreds of PCs inside Ukrainian media, electric utilities, railway system, and government agencies including its Treasury and pension fund.
Those targeted disruptions, many of which used similar fake ransomware messages in an attempt to confuse investigators, culminated with Sandworm’s release of the NotPetya worm in June of 2017, which spread automatically from machine to machine within networks. Like this current attack, NotPetya overwrote master boot records along with a list of file types, paralyzing hundreds of Ukrainian organizations, from banks to Kyiv hospitals to the Chernobyl monitoring and cleanup operation. Within hours, NotPetya spread worldwide, ultimately causing a total of $10 billion in damage, the costliest cyberattack in history.
The appearance of malware that even vaguely resembles those earlier attacks has ratcheted up the alarms within the global cybersecurity community, which had already warned of data-destructive escalation given tensions in the region. Security firm Mandiant, for instance, released a detailed guide on Friday to hardening IT systems against potential destructive attacks of the kind Russia has carried out in the past. “We’ve been specifically warning our customers of a destructive attack that appeared to be ransomware,” says John Hultquist, who leads Mandiant’s threat intelligence.
Microsoft has been careful to point out that it has no evidence of any known hacker group’s responsibility for the new malware it discovered. But Hultquist says he can’t help but notice the malware’s similarities to destructive wipers used by Sandworm. The GRU has a long history of carrying out acts of sabotage and disruption in Russia’s so-called “near-abroad” of former Soviet states. And Sandworm in particular has a history of ramping up its destructive hacking at moments of tension or active conflict between Ukraine and Russia. “In the context of this crisis, we expect the GRU to be the most aggressive actor,” Hultquist says. “This problem is their wheelhouse.”