Attack on the Ukrainian Government and Business Entities: A new destructive malware

Un nuevo malware destructivo dirigido a entidades gubernamentales y comerciales de Ucrania News

Cybersecurity teams from Microsoft on Saturday disclosed they identified evidence of a new destructive malware operation dubbed “WhisperGate” targeting government, non-profit, and information technology entities in Ukraine amid brewing geopolitical tensions between the country and Russia.

“The malware is disguised as ransomware but, if activated by the attacker, would render the infected computer system inoperable,” Tom Burt, corporate vice president of customer security and trust at Microsoft, said, adding the intrusions were aimed at government agencies that provide critical executive branch or emergency response functions.

Also among those affected by the malware is an IT firm that “manages websites for public and private sector clients, including government agencies whose websites were recently defaced,” Burt noted.

The computing giant, which first detected the malware on January 13, attributed the attacks to an emerging threat cluster codenamed “DEV-0586,” with no observed overlaps in tactics and procedures to other previously documented groups. The malware was also found on many impacted systems. This number is expected to grow as investigations continue.

According the Microsoft Threat Intelligence Center and Microsoft Digital Security Unit, the attack chains are two-stage processes that include —

  • Overwriting the Master Boot Record (MBR), the first sector of any hard disk that identifies where the operating system is located in the disk so that it can be loaded into a computer’s RAM, on a victim’s system to display a fake ransom note urging the target to pay an amount of $10,000 to a bitcoin wallet
  • A second-stage executable that retrieves a file corrupter malware hosted on a Discord channel that’s designed to search for files with 189 different extensions, then irrevocably overwrite their contents with a fixed number of 0xCC bytes and rename each file with a seemingly random four-byte extension.

The malicious activity is “inconsistent” with cybercriminal ransomware activity for reasons that “explicit payment amounts and cryptocurrency wallet addresses are rarely specified in modern criminal ransom notes” and “the ransom note in this case does not include a custom ID,” Microsoft said.

This development came as many government websites from the Eastern European country were hacked on Friday. The message warned Ukrainians that personal information was being stored online. According to the Security Service of Ukraine, (SSU), there were “signs” of hackers being involved in hacking activities that are linked with Russian intelligence services.

“MSTIC cannot assess the intent of identified destructive acts, but believes these actions pose an increased risk for any government agency or non-profit organization located in Ukraine, the researchers warned.

However, Reuters earlier today raised the possibility that the attacks may have been the work of an espionage group linked to Belarusian intelligence that’s tracked as UNC1151 and Ghostwriter. “Multiple significant intrusions into Ukrainian government entities have been conducted by UNC1151,” cybersecurity firm Mandiant disclosed in a report in November 2021, pointing out the group’s operations as those aligned with Belarusian government interests.

Rate author