Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cyberwarfare

Microsoft Uncovers Destructive Malware Used in Ukraine Cyberattacks

Newly detected WhisperGate malware being used by previously unknown threat group in cyberattacks against Ukraine

Newly detected WhisperGate malware being used by previously unknown threat group in cyberattacks against Ukraine

Microsoft on Saturday warned of a new, destructive malware being used in cyberattacks against the Ukraine government.

Described as a possible Master Boot Record (MBR) wiper, Microsoft says the malware is executed when an impacted device is powered down and disguises itself as ransomware—but lacks a ransom recovery mechanism and is intended to be destructive and brick targeted devices.

The tech giant says the malware, which it refers to as “WhisperGate”, first appeared on victim systems in Ukraine on January 13, 2022 and targeted multiple organizations, all in the Ukraine. 

While Microsoft says it has not found any notable associations between the observed activity (which it tracks as DEV-0586) and other known threat groups, Ukraine said Sunday it had “evidence” that Russia was behind the attacks.

A private sector cybersecurity expert in Kyiv told The Associated Press that the attackers penetrated the government networks through a shared software supplier in a supply-chain attack. That supplier is reportedly a firm named Kitsoft.

“At present and based on Microsoft visibility, our investigation teams have identified the malware on dozens of impacted systems and that number could grow as our investigation continues,” Microsoft said in a blog post. “These systems span multiple government, non-profit, and information technology organizations, all based in Ukraine.” 

The Microsoft Threat Intelligence Center (MSTIC) has shared tactics, techniques, and procedures (TTPs), along with indicators of compromise (IOC) related to the attacks. 

Advertisement. Scroll to continue reading.

[ VIDEO: Microsoft’s John Lambert on Better Information Sharing in Cybersecurity ]

“We do not know the current stage of this attacker’s operational cycle or how many other victim organizations may exist in Ukraine or other geographic locations,” Microsoft added. “However, it is unlikely these impacted systems represent the full scope of impact as other organizations are reporting.”

Ukraine’s SBU security service said the attacks had targeted at least 70 government websites.

“The existence of wiper malware disguised as ransomware is not new,” Calvin Gan, Senior Manager, Tactical Defence at F-Secure, told SecurityWeek. “WhisperGate or DEV-0586 as Microsoft calls it has a similar resemblance to NotPetya discovered back in 2017 which is also a wiper malware disguised as a ransomware. NotPetya at that time has crippled many companies in Ukraine, France Russia, Spain and the United States. Then there is also the Agrius group tracked by researchers from SentinelOne who recently has also been utilizing wiper malware on their target organizations in the Middle East.”

Commenting on the destructive nature of the malware, Gan reminded that overwriting MBR would render the machine unbootable, making recovery impossible especially when the malware also overwrites file contents before overwriting the MBR.

“While the attacker’s true intention of deploying wiper ransomware coupled with file corrupter is not known at the moment” Gan said, “having it targeting governmental agencies and associated establishments is a sign that they want operations in these organizations ceased immediately. Perhaps, the bitcoin wallet address and communication channel in the ransom note of WhisperGate is a smoke screen to divert attention of the attacker’s true intention of the attack while making it harder to track them.”

Written By

For more than 15 years, Mike Lennon has been closely monitoring the threat landscape and analyzing trends in the National Security and enterprise cybersecurity space. In his role at SecurityWeek, he oversees the editorial direction of the publication and is the Director of several leading security industry conferences around the world.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Cyberwarfare

WASHINGTON - Cyberattacks are the most serious threat facing the United States, even more so than terrorism, according to American defense experts. Almost half...

Cyberwarfare

Russian espionage group Nomadic Octopus infiltrated a Tajikistani telecoms provider to spy on 18 entities, including government officials and public service infrastructures.

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Malware & Threats

The NSA and FBI warn that a Chinese state-sponsored APT called BlackTech is hacking into network edge devices and using firmware implants to silently...

Cyberwarfare

Several hacker groups have joined in on the Israel-Hamas war that started over the weekend after the militant group launched a major attack.

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...