Security Experts:

Connect with us

Hi, what are you looking for?



Microsoft Uncovers Destructive Malware Used in Ukraine Cyberattacks

Newly detected WhisperGate malware being used by previously unknown threat group in cyberattacks against Ukraine

Newly detected WhisperGate malware being used by previously unknown threat group in cyberattacks against Ukraine

Microsoft on Saturday warned of a new, destructive malware being used in cyberattacks against the Ukraine government.

Described as a possible Master Boot Record (MBR) wiper, Microsoft says the malware is executed when an impacted device is powered down and disguises itself as ransomware—but lacks a ransom recovery mechanism and is intended to be destructive and brick targeted devices.

The tech giant says the malware, which it refers to as “WhisperGate”, first appeared on victim systems in Ukraine on January 13, 2022 and targeted multiple organizations, all in the Ukraine. 

While Microsoft says it has not found any notable associations between the observed activity (which it tracks as DEV-0586) and other known threat groups, Ukraine said Sunday it had “evidence” that Russia was behind the attacks.

A private sector cybersecurity expert in Kyiv told The Associated Press that the attackers penetrated the government networks through a shared software supplier in a supply-chain attack. That supplier is reportedly a firm named Kitsoft.

“At present and based on Microsoft visibility, our investigation teams have identified the malware on dozens of impacted systems and that number could grow as our investigation continues,” Microsoft said in a blog post. “These systems span multiple government, non-profit, and information technology organizations, all based in Ukraine.” 

The Microsoft Threat Intelligence Center (MSTIC) has shared tactics, techniques, and procedures (TTPs), along with indicators of compromise (IOC) related to the attacks. 

[ VIDEO: Microsoft’s John Lambert on Better Information Sharing in Cybersecurity ]

“We do not know the current stage of this attacker’s operational cycle or how many other victim organizations may exist in Ukraine or other geographic locations,” Microsoft added. “However, it is unlikely these impacted systems represent the full scope of impact as other organizations are reporting.”

Ukraine’s SBU security service said the attacks had targeted at least 70 government websites.

“The existence of wiper malware disguised as ransomware is not new,” Calvin Gan, Senior Manager, Tactical Defence at F-Secure, told SecurityWeek. “WhisperGate or DEV-0586 as Microsoft calls it has a similar resemblance to NotPetya discovered back in 2017 which is also a wiper malware disguised as a ransomware. NotPetya at that time has crippled many companies in Ukraine, France Russia, Spain and the United States. Then there is also the Agrius group tracked by researchers from SentinelOne who recently has also been utilizing wiper malware on their target organizations in the Middle East.”

Commenting on the destructive nature of the malware, Gan reminded that overwriting MBR would render the machine unbootable, making recovery impossible especially when the malware also overwrites file contents before overwriting the MBR.

“While the attacker’s true intention of deploying wiper ransomware coupled with file corrupter is not known at the moment” Gan said, “having it targeting governmental agencies and associated establishments is a sign that they want operations in these organizations ceased immediately. Perhaps, the bitcoin wallet address and communication channel in the ransom note of WhisperGate is a smoke screen to divert attention of the attacker’s true intention of the attack while making it harder to track them.”

Written By

For more than 10 years, Mike Lennon has been closely monitoring the threat landscape and analyzing trends in the National Security and enterprise cybersecurity space. In his role at SecurityWeek, he oversees the editorial direction of the publication and is the Director of several leading security industry conferences around the world.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Expert Insights

Related Content


Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.


Iranian APT Moses Staff is leaking data stolen from Saudi Arabia government ministries under the recently created Abraham's Ax persona


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


CISA, NSA, and MS-ISAC issued an alert on the malicious use of RMM software to steal money from bank accounts.


Russia-linked cyberespionage group APT29 has been observed using embassy-themed lures and the GraphicalNeutrino malware in recent attacks.


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.


Chinese threat actor DragonSpark has been using the SparkRAT open source backdoor in attacks targeting East Asian organizations.