A very damaging kind of malware has been found in hundreds of government and private computer networks in Ukraine, according to Microsoft, which issued a warning on Saturday evening. The virus looked to be waiting to be activated by an unknown actor.
Microsoft said in a blog post that investigators who monitor Microsoft’s worldwide networks discovered the code on Thursday, about the same time that government authorities in Ukraine discovered that their websites had been vandalised.
On Sunday, Jake Sullivan, President Biden’s national security advisor, said that the administration was looking into the code that was initially discovered by Microsoft. In an interview with CBS’s “Face the Nation,” Mr. Sullivan said, “We’ve been warning for weeks and months, both publicly and privately, that cyberattacks could be part of a broad-based Russian effort to escalate in Ukraine.” He cited Russia’s long history of using cyberweapons against Ukraine’s power grid, government ministries, and commercial firms.
However, he added that “we have not formally credited this assault yet,” and that Microsoft and other companies had not done so as of yet as well. “However, we’re putting in a lot of effort to determine attribution,” he added, adding that “it would not surprise me in the least if it ends up being linked to Russian intelligence.”
Officials in Ukraine first accused a group in Belarus for the defacement of their government websites, however they later admitted that they believed Russian influence was involved. Following the release of a statement by the Ministry of Digital Development on Sunday, it was revealed that a number of government entities had been targeted by damaging malware, which was probably the same code that Microsoft had discovered.
Investigators at the firm have characterised the malware as having the appearance of ransomware: it locks down all computer functions and data and demands a payment in exchange for unlocking the system. However, since there is no infrastructure in place to receive money, investigators have concluded that the purpose is to inflict the most amount of harm possible rather than to raise money.
It is likely that the malicious programme has not spread broadly enough, and that Microsoft’s announcement will make it more difficult for the assault to proliferate and become widespread. The attackers might, however, now deploy the virus and attempt to take down as many machines and networks as they can before regaining control.
In order to provide the government, businesses, and entities in Ukraine the best possibility of finding and remediating the virus, Microsoft made the information public. Tom Burt, Microsoft’s vice president for customer security and trust, oversees the company’s efforts to identify and prevent assaults. Specifically, he said, investigators from the company’s cybercrimes team saw odd activity in networks that were not normally monitored.
It was later discovered that the Russian intelligence agencies had infiltrated the Democratic National Committee’s servers in the United States as a result of an attack on Ukraine’s Central Election Commission during a presidential election in 2014, during which Russia attempted unsuccessfully to change the outcome. The attack served as a model for Russian intelligence agencies going forward. On December 15, 2015, the first of two significant assaults on Ukraine’s power system caused the nation’s lights to go out for several hours in several sections of the country, including the capital, Kyiv.
Furthermore, in 2017, companies and government institutions in Ukraine were targeted by a harmful piece of malware known as NotPetya, which took advantage of flaws in a form of tax preparation software that was extensively used in the nation at the time of the attack. The assault brought large sections of the economy to a halt, and it also targeted FedEx and the shipping major Maersk; American intelligence authorities ultimately determined that Russian operatives were responsible. That programme, at the very least in terms of its general architecture, has some similarities to the malware that Microsoft warned about earlier this week.
The new assault will completely wipe hard drives clean and erase all of their contents. Some military analysts believe that such a strike by Russia may be a precursor to a land invasion by the country. Another school of thought is that it might serve as a replacement for an invasion if the attackers feel that a cyberattack would not result in the type of financial and technical penalties that Vice President Biden has promised to apply in retaliation.
“Prepare for damaging assaults,” according to John Hultquist, a top cyberintelligence analyst at Mandiant, who said on Sunday that his company has been warning its customers “to prepare for destructive attacks, including ones that are meant to look like ransomware.”
“More advanced ways of critical infrastructure assault,” including on Ukraine’s power system, he said, had been developed in recent years by the Russian hacking squad known as Sandworm, which has subsequently been intimately tied to the Russian military intelligence organisation, the GRU.
He went on to say that they had “perfected the fake ransomware attack,” referring to attacks that are designed to appear as if they are part of a criminal extortion scheme but are actually intended to destroy data or cripple an electric utility, a water or gas supply system, or a government ministry instead. “They were doing this before to NotPetya, and they attempted it several times thereafter.