By Staff Writer.
Ukraine’s Ministry of Digital Development has accused Russia of a cyber-attack on scores of Ukrainian government, non-profit, and information technology organisations after hackers defaced websites and Microsoft identified malware hidden across Ukrainian computer networks.
Some 70 Ukrainian government websites went offline late last weekend after being defaced. Ukraine initially attributed the defacing to a Russian backed group in Belarus.
Concerns escalated on Saturday when Microsoft’s Microsoft Threat Intelligence Center (MSTIC) identified evidence of destructive malware operation targeting multiple organizations in Ukraine.
Microsoft says the malware is designed to look like ransomware but lacks a ransom recovery mechanism. They say the ransomware note is a ruse and that the malware renders the targeted devices inoperable.
A Microsoft advisory says the malware has infected dozens of Ukrainian computer networks. However, the US tech company cannot say exactly how many systems are impacted.
“Given the scale of the observed intrusions, MSTIC is not able to assess the intent of the identified destructive actions but does believe these actions represent an elevated risk to any government agency, non-profit or enterprise located or with systems in Ukraine,” the advisory says.
Microsoft calls the malware unique and says it operates in two stages. The first stage overwrites the master boot record (MBR) and displays a fake ransom note. The MBR is the part of a hard drive that tells the computer how to load its operating system.
While overwriting the MBR is typical of ransomware malware, this malware differs in several respects. Typically, ransomware attacks are customized, encrypt rather than destroy files, and don’t specify precise ransom amounts or wallet addresses in the first communications. This was not the case here.
Also missing is the custom ID typical of ransomware attacks and several avenues of communication being made available. In this case, only a Tox messaging ID was made available.
Microsoft calls these characteristics “inconsistent with cybercriminal ransomware activity observed by MSTIC.”
The second stage of the malware corrupts files. The malware targets files bearing nearly 200 hardcoded file extensions. Microsoft says the corrupter overwrites the file’s contents with a fixed number of 0xCC bytes and renames each file with a random four-byte extension.
Russian backed grey zone activities against Ukraine are increasing amid the threat of a possible invasion.
Previous Russian back cyber-activity in Ukraine includes an attack during the 2014 Presidential election, two attacks on the electricity grid in 2015, and the 2017 deployment of the NotPetya malware that was traced back to Russia and bears some similarities to the current cyber-attack.
The White House believes the weekend’s cyber-attack is part of Russian groundwork for a planned false flag incident.
At the time of writing, neither the US Government nor Microsoft has attributed the attack to Russia. However, Ukraine did so on Sunday.
“We can say that all the evidence points to the fact that Russia is behind the cyber-attack,” a statement from Ukraine’s Ministry of Digital Development says. “Moscow continues to wage a hybrid war and is actively building forces in the information and cyberspace.
“The battlefield for security and the very existence of our state lies in several planes – military, diplomatic, historical, and now digital.”
