Microsoft: Ukrainian Government Hit With Destructive Malware

‘These actions represent an elevated risk to any government agency, non-profit or enterprise located or with systems in Ukraine,’ the Microsoft Threat Intelligence Center (MSTIC) warned in a blog post Saturday.

The Ukrainian government has been pummeled by a destructive malware operation that’s disguised to look like ransomware but lacks a recovery mechanism, Microsoft revealed Saturday.

“We’ve observed destructive malware in systems belonging to several Ukrainian government agencies and organizations that work closely with the Ukrainian government,” Tom Burt, Microsoft’s CVP of customer security and trust, wrote in a blog post Saturday. “The malware is disguised as ransomware but, if activated by the attacker, would render the infected computer system inoperable.”

No notable overlap has been identified between the unique characteristics of the group behind this cyberattack on Ukraine and groups Microsoft has traditionally tracked, Burt wrote. Microsoft said the adversary’s malware is intended to be destructive and render targeted devices inoperable rather than to actually obtain a ransom. The malware first appeared on Ukrainian systems Thursday, Microsoft said.

[Related: REvil Ransomware Hackers Arrested By Russian Authorities]

The malware has been found in systems belonging to several Ukrainian government agencies as well as organizations that work closely with the Ukrainian government, Burt said. Specifically, government agencies that provide critical executive branch or emergency response functions as well as an IT firm that manages websites for public and private sector clients were besieged with the malware, Burt said.

Microsoft has identified the malware on dozens of impacted systems across the Ukrainian government, non-profit and IT sectors, and the number of affected organizations could grow as Microsoft’s probe continues. The observed activity is being tracked under the moniker DEV-0586, which is a temporary name given to an emerging or developing cluster of threat activity whose origins are unknown.

“These actions represent an elevated risk to any government agency, non-profit or enterprise located or with systems in Ukraine,” the Microsoft Threat Intelligence Center (MSTIC) wrote in a blog post late Saturday. “We strongly encourage all organizations to immediately conduct a thorough investigation and to implement defenses.”

Microsoft has notified each of the victims it has identified so far, partnered with other cybersecurity providers to share what it knows, and notified appropriate government agencies within the United States and elsewhere, according to Burt. This is customary for any observed activity believed to be associated with a nation-state actor, the MSTIC said.

The cyberattack against Ukraine comes amid escalating tensions between Russia and the West and reports of Russian troops amassing on the border with Ukraine. Russia has not commented specifically on the cyberattack, but Anatoly Antonov, Russia’s ambassador to the U.S., said the continuing advance of the North Atlantic Treaty Organization (NATO) to the east is a big threat to Russia’s national security.

“NATO’s efforts aimed at the military development of the former Soviet republics are unacceptable to us,” Antonov told Newsweek Saturday. “This is fraught with the deployment of missile systems and other destabilizing weapons that directly threaten our country. As a result, the risks of escalation and direct military clashes in the region and beyond will increase manifold.”

The two-stage malware used in the Ukrainian campaign overwrites the part of a hard drive that tells the computer how the load its operating system and replaces it with a ransom note, the MSTIC found. The ransom note contains a Bitcoin wallet and an account identifier used in the Tox encrypted messaging protocol, neither of which had been previously been observed by Microsoft, according to the MSTIC.

But in reality, the MSTIC said the ransomware note is a ruse and the malware destroys the impacted part of the hard drive as well as the contents of the files it targets. The same Bitcoin wallet address has been used across all Ukrainian intrusions, but the only activity observed was a small transfer on Friday.

The malware itself is a malicious file corrupter that locates files in certain directories on the victim’s system, according to the MSTIC. After overwriting the contents of the file, the destructor renames each file with a seemingly random four-byte extension, according to Microsoft.

Microsoft said it has implemented protections to detect this family of malware in its Microsoft Defender Antivirus and Microsoft Defender for Endpoint products regardless of if the product is deployed in cloud environments or on-premises. Potential victims are urged to review authentication activity for remote access infrastructure, with a particular focus on accounts configured with single factor authentication.

“It is possible more organizations have been infected with this malware and the number of impacted organizations could grow,” Burt wrote in the conclusion to his blog post. “We will continue to work with the cybersecurity community to identity and assist targets and victims.”