Multiple organizations in Ukraine were hit last week in a destructive, likely nation-state-backed malware operation designed to render targeted systems completely inoperable.
The two-stage malware looks like ransomware on the surface. But it has no recovery mechanism and is instead designed to overwrite the Master Boot Record (MBR) and the contents of specific files on infected systems, Microsoft said Friday.
The attacks prompted the US Cybersecurity and Infrastructure Security Agency (CISA) to issue an advisory on Jan. 18 that urged US organizations to be vigilant against cyberattacks that could result in severe harm to critical functions.
Researchers from Microsoft observed the malware — called WhisperGate — first surface on Jan. 13 and have since then identified it on dozens of systems belonging to government, information technology, and nonprofit organizations based in Ukraine. The total number of organizations that have been affected by the malware remains unclear. But it's almost certain that there are more victims than have been identified so far, Microsoft said.
The malicious activity that Microsoft observed is part of a broader wave of attacks last week that took down government websites and disrupted operations at multiple organizations in Ukraine. No group has claimed credit for the attacks and so far, at least, few have publicly attributed them to any threat actor or state sponsor.
But many believe the attacks in Ukraine were likely carried out by Russian operatives and are a manifestation of the current tense standoff between the two countries. Back in December 2015, during a similarly tense period between Russia and Ukraine, threat actors from the former launched a series of cyberattacks that took out a section of Ukraine's power grid and caused a blackout in some regions of the country.
Chris Morgan, senior cyber-threat intelligence analyst at Digital Shadows, says it's not unreasonable to associate the attacks with Russia.
"The attacks fit a consistent model frequently employed by Russia-aligned threat actors, who have previously implemented hybrid warfare tactics involving the use of cyberattacks prior to movements of its military ground forces," Morgan says. "This has included cyberattacks against Georgia prior to the conflict over South Ossetia in 2008, during the 2014 Crimea annexation, and the destructive malware used in the Petya and MeDoc attacks against Ukraine in 2017."
Destruction as the Priority
Microsoft described WhisperGate as a unique two-stage malware that leverages a publicly available tool called Impacket that threat actors often use for remote execution and lateral movement. The first-stage malware resides in various directories and overwrites the MBR — code that tells the computer how to load the operating system — with a ransom note. The ransom note contains a previously unknown Bitcoin wallet address and an account identifier for encrypted communications, ostensibly for victims to use to make a payment. The malware's sole purpose, however, is to destroy the MBR and other files that it targets on infected devices, Microsoft said.
WhisperGate's stage two component is downloader for malware hosted on a Discord channel. The malware is designed to corrupt files in certain directories on a compromised system with specific file extensions such as .backup, .bak, .jpeg, .java, .jar, .rtf, .sav, and .xltm. When the malware encounters files with these extensions — and more than a hundred other extensions — it immediately overwrites the file and then renames each one with a random 4-byte extension.
The threat actor's goal in using the malware appears to be to render as many systems as inoperable as possible and to make restoration hard.
"This has likely been conducted to introduce challenges to the day-to-day activities of Ukrainian citizens, while also to delegitimize the authority of Ukraine's government," Morgan says.
John Bambenek, principal threat hunter at Netenrich, says basic security hygiene is critical to protecting against such attacks.
"Ultimately, any measure designed to prevent malware will work here," Bambenek says. "Whether an attacker wants to deploy ransomware, a RAT, or MBR malware, at its core you are dealing with a malware problem." Beyond that, he adds, a business continuity and disaster recovery plan are essential so that there is a plan in place for restoration of services.