Microsoft cybersecurity teams announced on Saturday that they had uncovered evidence of a new destructive malware operation dubbed “whisper gate‘ targets Ukraine’s government, non-profit and information technology institutions as geopolitical tensions brew between the country and Russia.
“The malware is disguised as ransomware, but if activated by the attacker would render the infected computer system inoperable,” said Tom Burt, corporate vice president of customer security and trust at Microsoft, adding that the attacks targeted government agencies They provide critical executive functions or emergency response.
Also affected by the malware is an IT firm that “manages websites for public and private sector customers, including government agencies, whose websites were recently defaced,” Burt noted.
The computer giant, which first discovered the malware on January 13, led the attacks on an emerging threat cluster codenamed “DEV-0586‘ with no overlap in tactics and procedures observed with other previously documented groups. She went on to say that the malware was found on dozens of affected systems, a number expected to increase as the investigation progresses.
According to the Microsoft Threat Intelligence Center (MSTIC) and Microsoft Digital Security Unit (DSU), the attack chain is a two-step process that includes:
- Overwriting the Master Boot Record (MBR), the first sector of a hard drive that identifies where the operating system resides on the hard drive so it can be loaded into a computer’s RAM, on a victim’s system to display a fake ransom note Target is to deposit an amount of $10,000 into a bitcoin wallet
- A second stage executable that retrieves a file corruption malware hosted on a Discord channel designed to scan for files with 189 different extensions, then irrevocably tag their contents with a fixed number of 0xCC bytes overwrite and rename each file with a seemingly random four byte extension.
The malicious activity is “inconsistent” with cybercriminal ransomware activity for reasons that “explicit payment amounts and cryptocurrency wallet addresses are rarely provided in modern criminal ransom notes” and “the ransom note in this case does not contain a custom ID,” Microsoft said.
The development comes as numerous government websites in the eastern European country were defaced with a message on Friday warning Ukrainians that their personal information was being uploaded to the internet. The Security Service of Ukraine (SSU) said it found “indications” of the involvement of hacking groups linked to the Russian intelligence services.
“Given the scale of the intruders observed, MSTIC is unable to assess the intent of the identified destructive actions, however, believes that these actions pose an increased risk to any government agency, non-profit organization or business located in Ukraine or have systems in Ukraine,” the researchers warned.
Earlier today, however, Reuters raised the possibility that the attacks might have been the work of a spy group linked to Belarusian intelligence and tracked as UNC1151 and ghostwriters. “Several significant intrusions into Ukrainian government entities were carried out by UNC1151,” cybersecurity firm Mandiant announced in a November 2021 report, noting that the group’s operations are aligned with the interests of the Belarusian government.