Security Experts:

Connect with us

Hi, what are you looking for?



Microsoft Uncovers Destructive Malware Used in Ukraine Cyberattacks

Newly detected WhisperGate malware being used by previously unknown threat group in cyberattacks against Ukraine

Newly detected WhisperGate malware being used by previously unknown threat group in cyberattacks against Ukraine

Microsoft on Saturday warned of a new, destructive malware being used in cyberattacks against the Ukraine government.

Described as a possible Master Boot Record (MBR) wiper, Microsoft says the malware is executed when an impacted device is powered down and disguises itself as ransomware—but lacks a ransom recovery mechanism and is intended to be destructive and brick targeted devices.

The tech giant says the malware, which it refers to as “WhisperGate”, first appeared on victim systems in Ukraine on January 13, 2022 and targeted multiple organizations, all in the Ukraine. 

While Microsoft says it has not found any notable associations between the observed activity (which it tracks as DEV-0586) and other known threat groups, Ukraine said Sunday it had “evidence” that Russia was behind the attacks.

A private sector cybersecurity expert in Kyiv told The Associated Press that the attackers penetrated the government networks through a shared software supplier in a supply-chain attack. That supplier is reportedly a firm named Kitsoft.

“At present and based on Microsoft visibility, our investigation teams have identified the malware on dozens of impacted systems and that number could grow as our investigation continues,” Microsoft said in a blog post. “These systems span multiple government, non-profit, and information technology organizations, all based in Ukraine.” 

The Microsoft Threat Intelligence Center (MSTIC) has shared tactics, techniques, and procedures (TTPs), along with indicators of compromise (IOC) related to the attacks. 

[ VIDEO: Microsoft’s John Lambert on Better Information Sharing in Cybersecurity ]

“We do not know the current stage of this attacker’s operational cycle or how many other victim organizations may exist in Ukraine or other geographic locations,” Microsoft added. “However, it is unlikely these impacted systems represent the full scope of impact as other organizations are reporting.”

Ukraine’s SBU security service said the attacks had targeted at least 70 government websites.

“The existence of wiper malware disguised as ransomware is not new,” Calvin Gan, Senior Manager, Tactical Defence at F-Secure, told SecurityWeek. “WhisperGate or DEV-0586 as Microsoft calls it has a similar resemblance to NotPetya discovered back in 2017 which is also a wiper malware disguised as a ransomware. NotPetya at that time has crippled many companies in Ukraine, France Russia, Spain and the United States. Then there is also the Agrius group tracked by researchers from SentinelOne who recently has also been utilizing wiper malware on their target organizations in the Middle East.”

Commenting on the destructive nature of the malware, Gan reminded that overwriting MBR would render the machine unbootable, making recovery impossible especially when the malware also overwrites file contents before overwriting the MBR.

“While the attacker’s true intention of deploying wiper ransomware coupled with file corrupter is not known at the moment” Gan said, “having it targeting governmental agencies and associated establishments is a sign that they want operations in these organizations ceased immediately. Perhaps, the bitcoin wallet address and communication channel in the ransom note of WhisperGate is a smoke screen to divert attention of the attacker’s true intention of the attack while making it harder to track them.”

Written By

For more than 10 years, Mike Lennon has been closely monitoring the threat landscape and analyzing trends in the National Security and enterprise cybersecurity space. In his role at SecurityWeek, he oversees the editorial direction of the publication and is the Director of several leading security industry conferences around the world.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


WASHINGTON - Cyberattacks are the most serious threat facing the United States, even more so than terrorism, according to American defense experts. Almost half...


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet

Malware & Threats

Threat actors are increasingly abusing Microsoft OneNote documents to deliver malware in both targeted and spray-and-pray campaigns.


Iranian APT Moses Staff is leaking data stolen from Saudi Arabia government ministries under the recently created Abraham's Ax persona

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.