For weeks, it was The world of cybersecurity is preparing for the devastating hack that could accompany or foreshadow a Russian invasion of Ukraine. Now, it looks like the first wave of those attacks has arrived. While on a small scale so far, the campaign uses techniques that refer to a replay of Russia’s massive cyberwar sabotage campaign that has crippled the Ukrainian government and critical infrastructure in the past years.
Security researchers at Microsoft said Saturday evening that data-destroying malware, which pretends to be ransomware, has infected computers within Ukrainian government agencies and related organizations. Among the victims was the IT company that runs a batch of websites, such as the one that hackers defaced with an anti-Ukrainian message early Friday. But Microsoft also warned that the number of victims may continue to increase as malware is discovered to swipe on more networks.
Victor Zora, a senior official with Ukraine’s cybersecurity agency known as the State Services for Special Communications and Information Protection, or SSSCIP, says he first began hearing about the ransom messages on Friday. Administrators found the PCs locked and displayed a message asking for $10,000 in bitcoin, but the devices’ hard drives were irreversibly damaged when the administrator restarted them. He says SSSCIP found the malware on only a handful of devices, but Microsoft also warned Ukrainians that it had evidence that the malware had infected dozens of systems. As of Sunday morning ET, it appears that one has attempted to pay the ransom in full.
“We are trying to see if this is related to a larger attack,” Zahra says. “This could be the first stage, and part of more serious things that could happen in the near future. That’s why we’re so concerned.”
Microsoft warns that when you restart a computer infected with fake ransomware, the malware replaces the computer’s master boot record, or MBR, which is information on the hard drive that tells the computer how to load its operating system. Then it runs a file corruption program that overwrites a long list of file types in certain directories. These destructive methods are unusual for ransomware, according to the notes of a Microsoft blog post, since they can’t be easily undone if the victim pays a ransom. Neither the malware nor the ransom message intended for each victim in this campaign appeared, indicating that the hackers had no intention of tracking victims or unlocking the devices of those who pay.
Both the malware’s destructive tactics, as well as its fake ransomware message, bear chilling reminders of the data-erasing cyber attacks that Russia carried out against Ukrainian systems from 2015 to 2017, sometimes with devastating results. In the waves of these 2015 and 2016 attacks, a group of hackers known as Sandworm, later identified as part of the Russian military intelligence agency GRU, used malware similar to the type identified by Microsoft to scan hundreds of computers inside Ukrainian media, electrical utilities, the railway system Iron, government bodies including the Treasury and Pension Fund.
Those targeted disruptions, many of which used similar fake ransom messages in an attempt to confuse investigators, culminated in the June 2017 release of the NotPetya Sandworm, which spread spontaneously from device to device within networks. Like this current attack, NotPetya overwritten master boot records along with a list of file types, paralyzing hundreds of Ukrainian organizations, from banks to Kiev hospitals to the Chernobyl monitoring and cleanup operation. Within hours, NotPetya spread all over the world, eventually causing a total damage of $10 billion, the most expensive cyber attack in history.
The emergence of malware that vaguely resembles those earlier attacks has raised alarms within the global cybersecurity community, which has already warned of a devastating data escalation given the tensions in the region. Security firm Mandiant, for example, released a detailed guide on Friday to harden IT systems against potentially devastating attacks of the kind that Russia has implemented in the past. “We were specifically warning our clients of a devastating attack that appeared to be ransomware,” says John Holtquist, who leads threat intelligence at Mandiant.
Microsoft was careful to point out that it had no evidence that any known hacker group was responsible for the new malware it discovered. But Hultquist says he couldn’t help but notice the malware’s similarity to the destructive space the Sandworm uses. The GRU has a long history of carrying out acts of sabotage and disorder in the so-called “Near Abroad” of the countries of the former Soviet Union. The sandworm in particular has a history of intensifying destructive hacking in moments of tension or active conflict between Ukraine and Russia. “In the context of this crisis, we expect the GRU to be the most aggressive actor,” says Holtquist. “This problem is their wheelhouse.”