BOSTON (AP) — Microsoft said late Saturday that dozens of computer systems in an unknown number of Ukrainian government agencies had been infected with destructive malware disguised as ransomware, a disclosure suggesting that an eye-catching defacement attack on sites Official Web was a diversion. The extent of the damage was not immediately clear.
The attack comes as the threat of a Russian invasion of Ukraine looms and diplomatic talks to resolve the tense standoff appear to have stalled.
Microsoft said in a short blog post that amounted to sounding an industry alarm that it first detected the malware on Thursday. This would coincide with the attack which temporarily took some 70 government websites offline.
The disclosure followed a Reuters report earlier in the day quoting a senior Ukrainian security official as saying the defacement was indeed a cover for a malicious attack.
Separately, a senior private sector cybersecurity official in Kyiv told The Associated Press how the attack succeeded: supply chain in the style of the Russian SolarWinds 2020 cyber espionage campaign targeting the US government.
Microsoft said in a separate technical article that the affected systems “represent multiple government, nonprofit, and information technology organizations.” He said he didn’t know how many other organizations in Ukraine or elsewhere might be affected, but said he expected to learn from more infections.
“The malware is disguised as ransomware but, if activated by the attacker, would render the infected computer system inoperable,” Microsoft said. In short, it lacks a ransom recovery mechanism.
Microsoft said the malware “runs when an associated device is turned off,” a typical initial reaction to a ransomware attack.
Microsoft said it was not yet able to assess the intent of the destructive activity or associate the attack with known threat actors. Ukrainian security official Serhiy Demedyuk was quoted by Reuters as saying the attackers used malware similar to that used by Russian intelligence services. He is Deputy Secretary of the National Security and Defense Council.
A preliminary investigation has led Ukraine’s security service, the SBU, to blame the web degradation on “hacker groups linked to Russian intelligence.” Moscow has repeatedly denied any involvement in cyberattacks against Ukraine.
Tensions with Russia have escalated in recent weeks after Moscow rounded up around 100,000 troops near the Ukrainian border. Experts say they expect any invasion to have a cybernetic component, which is an integral part of modern “hybrid” warfare.
Demedyuk told Reuters in written comments that the downgrade “was just a cover for more destructive actions that were taking place behind the scenes and the consequences of which we will feel in the near future.” The story was not elaborated and Demedyuk could not immediately be reached for comment.
Oleh Derevianko, a prominent private-sector expert and founder of cybersecurity firm ISSP, told the AP he didn’t know how severe the damage was. He added that it was also unclear what else the attackers could have done after breaking into KitSoft, the developer exploited it to seed the malware.
In 2017, Russia targeted Ukraine with one of the most damaging cyberattacks on record with the NotPetya virus, causing over $10 billion in damage worldwide. This virus, also disguised as ransomware, was a so-called “windshield wiper” that wiped out entire networks.
Ukraine has suffered the unfortunate fate of being the global testing ground for cyber conflict. Russian state-backed hackers nearly thwarted the 2014 national elections and briefly crippled parts of its power grid in the winters of 2015 and 2016.
During Friday’s massive web downgrade, a message left by the attackers claimed they had destroyed data and uploaded it, which Ukrainian authorities said did not happen.
The message told Ukrainians “to be afraid and expect the worst”.
Ukrainian cybersecurity professionals have been bolstering critical infrastructure defenses since 2017, with more than $40 million in U.S. assistance. They are particularly concerned about the Russian attacks on the electricity network, the railway network and the central bank.
Copyright 2022 The Associated Press. All rights reserved. This material may not be published, broadcast, rewritten or redistributed without permission.