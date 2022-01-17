Ukraine systems infected with malware: Microsoft

‘HYBRID’ WARFARE: A hacker group linked to Belarusian intelligence carried out the attack as a cover for more destructive actions behind the scenes, a Kiev official said

AP, BOSTON





Dozens of computer systems at an unspecified number of Ukrainian government agencies have been infected with destructive malware disguised as ransomware, Microsoft said late on Saturday, a disclosure suggesting that an attention-grabbing defacement attack on official Web sites was a diversion.

The extent of the damage was not immediately clear.

The attack came as the threat of a Russian invasion of Ukraine looms and diplomatic talks to resolve the tense standoff appear stalled.

A militant of the self-proclaimed Donetsk People’s Republic observes the area on the line of separation from the Ukrainian armed forces in Ukraine’s Donetsk region on Friday. Photo: Reuters

Microsoft said in a short blog post that amounted to the clanging of an industry alarm that it first detected the malware on Thursday, which coincides with the attack that simultaneously took about 70 government Web sites temporarily offline.

The disclosure followed a report earlier in the day quoting a top Ukrainian security official as saying the defacement was indeed cover for a malicious attack.

A top private sector cybersecurity executive in Kiev said that the attack succeeded because the intruders penetrated the government networks through a shared software supplier in a so-called supply-chain attack in the fashion of the 2020 SolarWinds Russian cyberespionage campaign targeting the US government.

Microsoft said in a different, technical post that the affected systems “span multiple government, nonprofit and information technology organizations.”

It added that it did not know how many more organizations in Ukraine or elsewhere might be affected, but said it expected to learn of more infections.

“The malware is disguised as ransomware, but if activated by the attacker would render the infected computer system inoperable,” Microsoft said.

Microsoft said that the malware “executes when an associated device is powered down,” a typical initial reaction to a ransomware attack.

It was not yet able to assess the intent of the destructive activity or associate the attack with any known threat actors, Microsoft added.

Ukrainian National Security and Defense Council Deputy Secretary Serhiy Demedyuk said that Kiev believes a hacker group linked to Belarusian intelligence carried out the cyberattack and used malware similar to that used by a group tied to Russian intelligence.

He said that Ukraine blamed Friday’s attack on a group known as UNC1151 and that it was cover for more destructive actions behind the scenes, the consequences of which would be felt in the near future.

Moscow has repeatedly denied involvement in cyberattacks against Ukraine.

Tensions with Russia have been running high in the past few weeks after Moscow amassed an estimated 100,000 troops near Ukraine’s border. Experts say they expect any invasion would have a cybercomponent, which is integral to modern “hybrid” warfare.

Oleh Derevianko, a leading private sector expert and founder of the ISSP cybersecurity firm, said that he did not know how serious the damage was.

It is also unknown what else the attackers might have achieved after breaking into KitSoft, the developer exploited to sow the malware, he added.

In Friday’s mass Web defacement, a message left by the attackers claimed they had destroyed data and placed it online, which Ukrainian authorities said had not happened.

The message told Ukrainians to “be afraid and expect the worst.”

Ukrainian cybersecurity professionals have been fortifying the defenses of critical infrastructure since 2017, with more than US$40 million in US assistance.

They are particularly concerned about Russian attacks on the power grid, rail network and central bank.

Additional reporting by Reuters