BOSTON (AP) – Microsoft said late Saturday that dozens of computer systems of an unspecified number of Ukrainian government agencies were infected with destructive malware disguised as ransomware, a disclosure suggesting a high-profile defacement attack on official websites was a distraction. The amount of damage was not initially clear.
The attack comes as the threat of a Russian invasion of Ukraine looms and diplomatic talks to resolve the tense standoff appear to have stalled.
Microsoft said in a brief blog post that equated to industry alert that it first discovered the malware on Thursday. That would coincide with the attack, which simultaneously took around 70 government websites temporarily offline.
The disclosure followed a Reuters report earlier in the day quoting a senior Ukrainian security official who said the defacement was actually a cover for a malicious attack.
Separately, a senior private sector cybersecurity expert in Kiev told The Associated Press how the attack was successful: The intruders penetrated government networks through a joint software vendor in a so-called supply chain attack targeting SolarWinds’ 2020 Russian cyberespionage campaign against the US Government.
Microsoft said in another tech post that the affected systems “include multiple government, non-profit, and IT organizations.” It said it didn’t know how many more organizations in Ukraine or elsewhere could be affected, but said it expected to hear about more infections.
“The malware is disguised as ransomware, but if activated by the attacker would render the infected computer system inoperable,” Microsoft said. In short, it lacks a ransom recovery mechanism.
According to Microsoft, the malware “executes when an associated device is powered off,” a typical first response to a ransomware attack.
Microsoft said it is not yet able to assess the intent of the destructive activity or link the attack to known threat actors. Ukrainian security official Serhiy Demedyuk was quoted by Reuters as saying the attackers used malware similar to that used by the Russian intelligence agency. He is Deputy Secretary of the National Security and Defense Council.
A preliminary investigation led Ukraine’s security service SBU to blame “hacker groups linked to Russian intelligence” for the web defacement. Moscow has repeatedly denied involvement in cyber attacks on Ukraine.
Tensions with Russia have been running high in recent weeks after Moscow massed an estimated 100,000 troops near the border with Ukraine. Experts say they expect any invasion would have a cyber component, which is an integral part of modern “hybrid” warfare.
Demedyuk told Reuters in written comments that the defacement “was just a cover for more destructive actions that were taking place behind the scenes and the consequences of which we will feel in the near future.” The story was not followed up and Demedyuk could not be immediately reached for comment.
Oleh Derevianko, a leading private sector expert and founder of cybersecurity firm ISSP, told the AP he doesn’t know how serious the damage is. He said it’s also unknown what else the attackers achieved after breaking into KitSoft, the developer exploited to seed the malware.
In 2017, Russia launched one of the most damaging cyber attacks of all time on Ukraine with the NotPetya virus, causing more than $10 billion in damage worldwide. This virus, also disguised as ransomware, was a so-called “wiper” that wiped out entire networks.
Ukraine has suffered the unfortunate fate of being the world’s proving ground for cyber conflicts. State-backed hackers in Russia almost thwarted the 2014 national elections and briefly shut down parts of the power grid in the winters of 2015 and 2016.
In Friday’s mass internet defacement, the attackers claimed in a message that they had destroyed data and put it online, which Ukrainian authorities said had not happened.
The embassy urged Ukrainians to “be afraid and expect the worst.”
Ukrainian cybersecurity experts have been boosting critical infrastructure defenses with more than $40 million in US support since 2017. They are particularly concerned about Russian attacks on the power grid, the rail network and the central bank.