In recent months, geopolitical tensions have intensified as Russia has amassed tens of thousands of troops along the border with Ukraine and subtle but far-reaching threats if Ukraine and NATO do not agree with the Kremlin’s demands.
Now, a similar dispute is playing out in cyber arenas, as late last week unknown hackers defaced dozens of Ukrainian government websites and left a cryptic warning to Ukrainian citizens who tried to receive services.
Be afraid and expect the worst
“All data on the computer is being destroyed, it is impossible to recover it,” read a message, written in Ukrainian, Russian and Polish, that appeared late last week on at least some of the infected systems. “All information about you has been made public, be afraid and expect the worst.”
Around the same time, Microsoft saying In a post over the weekend, “destructive” malware with the ability to permanently destroy computers and all the data stored on them began showing up on the networks of a dozen government, non-profit and IT organizations. information, all based in Ukraine. The malware, which Microsoft calls Whispergate, masquerades as ransomware and demands $10,000 in bitcoins to restore data.
But Whispergate lacks the means to distribute decryption keys and provide technical support to victims, features found in virtually all working ransomware deployed in the wild. It also overwrites the master boot record, a part of the hard drive that starts the operating system during boot.
“Overwriting the MBR is atypical for cybercriminal ransomware,” members of the Microsoft Threat Intelligence Center wrote in Saturday’s post. “In reality, the ransomware note is a ruse and the malware destroys MBR and the content of the files it targets. There are several reasons why this activity is inconsistent with the cybercriminal ransomware activity observed by MSTIC.”
Over the weekend, Serhiy Demedyuk, deputy head of Ukraine’s National Security and Defense Council, told media outlets that preliminary findings from a joint investigation by several Ukrainian state agencies show that a group of threat actors known as UNC1151 he was probably behind the disfigurement attack. The group, which researchers from the security firm Mandiant have linked to the government of Russian ally Belarus, was behind an influence campaign called Ghostwriter.
Ghostwriter worked by using phishing emails and theft domains that spoof legitimate websites like Facebook to steal victims’ credentials. Controlling the content management systems belonging to news sites and other heavily trafficked properties, UNC1151 “primarily promoted anti-NATO narratives that appeared aimed at undermining regional security cooperation in operations targeting Lithuania, Latvia, and Poland.” , the authors of the Mandiant report wrote.
All evidence points to Russia
Ukrainian officials said that UNC1151 was likely working on behalf of Russia when it used its ability to collect credentials and infiltrate websites to deface Ukrainian government sites. in a statement, they wrote:
As of now, we can say that all the evidence points to Russia being behind the cyber attack. Moscow continues to wage hybrid warfare and is actively building forces in information and cyberspace.
Russia’s cyber troops often work against the United States and Ukraine, trying to use technology to shake up the political situation. The latest cyber attack is one of the manifestations of Russia’s hybrid war against Ukraine, which has been going on since 2014.
Their goal is not just to intimidate society. And to destabilize the situation in Ukraine by stopping the work of the public sector and undermining trust in the government by Ukrainians. They can achieve this by launching fakes in the information space about the vulnerability of critical information infrastructure and the “draining” of personal data from Ukrainians.
There were no immediate reports that the defacements had a destructive effect on government networks, although Reuters on Monday reported Ukraine’s cyber police found that last week’s defacement appeared to have destroyed “external information resources”.
“The attackers manually destroyed several external information resources,” police said, without giving further details. The police added: “It can already be argued that the attack is more complex than modifying the home page of websites.”
Meanwhile, Microsoft wouldn’t say whether the destructive data eraser it found on Ukrainian networks was simply installed for potential use later or actually executed to wreak havoc.
There is no evidence that the Russian government was involved in the wiper malware or website defacement, and Russian officials have strongly denied this. But given past events, Russian involvement would not be a surprise.
In 2017, a massive outbreak of malware initially believed to be ransomware shut down computers around the world and resulted in $10 billion in total damage, making it the costliest cyberattack in history.
NotPetya initially spread via a legitimate updater module of MEDoc, a tax accounting application that is widely used in Ukraine. both ukrainian
and US government officials have said Russia was behind the attacks. In 2020, federal prosecutors charged four Russian citizens with alleged hacking crimes related to NotPetya.