Latest investigation into wiper malware which attacked dozens of Ukrainian agencies in the beginning of this month revealed “strategic similarities” to NotPetya malware unleashed on the country’s infrastructure, and other 2017. areas.
The malware, dubbed WhisperGate, was discovered by Microsoft last week, which said it observed the destructive cyber campaign targeting government, non-profit, and information technology entities in the nation, attributing the intrusions to an emerging threat cluster codenamed “DEV-0586. “
“While WhisperGate has some strategic similarities to the notorious NotPetya wiper that attacked Ukranian entities in 2017, including masquerading as ransomware and targeting and destroying the master boot record (MBR) instead of encrypting it, it notably has more components designed to inflict additional damage,” Cisco Talos said in a report detailing its response efforts.
The cybersecurity firm stated that it is likely that stolen credentials were used in the attack. They also noted that the threat actor had access months before the attacks took place to certain victim networks, which is a hallmark of sophisticated APT threats.
The WhisperGate infection chain is fashioned as a multi-stage process that downloads a payload that wipes the master boot record (MBR), then downloads a malicious DLL file hosted on a Discord server, which drops and executes another wiper payload that irrevocably destroys files by overwriting their content with fixed data on the infected hosts.
The findings come a week after roughly 80 Ukrainian government agencies’ websites were defaced, with the Ukrainian intelligence agencies confirming that the twin incidents are part of a wave of malicious activities targeting its critical infrastructure, while also noting that the attacks leveraged the recently disclosed Log4j vulnerabilities to gain access to some of the compromised systems.
“Russia is using the country as a cyberwar testing ground — a laboratory for perfecting new forms of global online combat,” Wired’s Andy Greenberg noted in a 2017 deep-dive about the attacks that took aim at its power grid in late 2015 and caused unprecedented blackouts.
“Systems in Ukraine face challenges that may not apply to those in other regions of the world, and extra protections and precautionary measures need to be applied,” Talos researchers said. To help reduce the dangers facing the region, it is crucial to ensure that these systems are properly patched as well as hardened. “