Microsoft says dozens of computer systems in an unknown number of Ukrainian government agencies have been infected with destructive malware disguised as ransomware
BOSTON — Microsoft said late Saturday that dozens of computer systems in an unknown number of Ukrainian government agencies had been infected with destructive malware disguised as ransomware, a disclosure suggesting an eye-catching defacement attack on official websites was a diversion. The extent of the damage was not immediately clear.
Microsoft said in a short blog post that amounted to sounding an industry alarm that it first detected the malware on Thursday. This would coincide with the attack which temporarily took some 70 government websites offline.
The disclosure followed a Reuters report earlier in the day quoting a senior Ukrainian security official as saying the defacement was indeed a cover for a malicious attack.
Separately, a senior private sector cybersecurity official in Kyiv told The Associated Press how the attack succeeded: supply chain in the style of the Russian SolarWinds 2020 cyber espionage campaign targeting the US government.
Microsoft said in a separate technical article that the affected systems “represent multiple government, nonprofit, and information technology organizations.” He said he didn’t know how many other organizations in Ukraine or elsewhere might be affected, but said he expected to learn from more infections.
“The malware is disguised as ransomware but, if activated by the attacker, would render the infected computer system inoperable,” Microsoft said. In short, it lacks a ransom recovery mechanism.
Microsoft said the malware “runs when an associated device is turned off,” a typical initial reaction to a ransomware attack.
Microsoft said it was not yet able to assess the intent of the destructive activity or associate the attack with known threat actors. Ukrainian security official Serhiy Demedyuk was quoted by Reuters as saying the attackers used malware similar to that used by Russian intelligence services. He is Deputy Secretary of the National Security and Defense Council.
Tensions with Russia have escalated in recent weeks after Moscow rounded up around 100,000 troops near the Ukrainian border. Experts say they expect any invasion to have a cybernetic component, which is an integral part of modern “hybrid” warfare.
Demedyuk told Reuters in written comments that the downgrade “was just a cover for more destructive actions that were taking place behind the scenes and the consequences of which we will feel in the near future.” The story was not elaborated and Demedyuk could not immediately be reached for comment.
Oleh Derevianko, a prominent private-sector expert and founder of cybersecurity firm ISSP, told the AP he didn’t know how severe the damage was. He added that it was also unclear what else the attackers could have done after breaking into KitSoft, the developer exploited it to seed the malware.
In 2017, Russia targeted Ukraine with one of the most damaging cyberattacks on record with the NotPetya virus, causing over $10 billion in damage worldwide. This virus, also disguised as ransomware, was a so-called “windshield wiper” that wiped out entire networks.
During Friday’s massive web downgrade, a message left by the attackers claimed they had destroyed data and uploaded it, which Ukrainian authorities said did not happen.
The message told Ukrainians “to be afraid and expect the worst”.
Ukrainian cybersecurity professionals have been bolstering critical infrastructure defenses since 2017, with more than $40 million in U.S. assistance. They are particularly concerned about the Russian attacks on the electricity network, the railway network and the central bank.