On Saturday night, January 15, Microsoft shook the cybersecurity world with a report that destructive wiper malware had penetrated dozens of government, non-profit, and IT organizations in Ukraine. This news capped a week of mounting apprehension of cyberattacks in Ukraine that could presage or accompany a real-world Russian military invasion of the country.
Since January 11, several possibly interconnected developments related to Russia’s cybersecurity posture paint a complex and unclear portrait of what’s happening in Ukraine. The following is a timeline of these increasingly high-stakes developments:
January 11: U.S. releases cybersecurity advisory
The Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the National Security Agency (NSA) released a joint cybersecurity advisory (CSA) providing an overview of Russian state-sponsored cyber operations. It covered commonly observed tactics, techniques and procedures. The advisory also provided detection actions, incident response guidance, and mitigations.
CISA also recommended that network defenders review CISA’s Russia Cyber Threat Overview and Advisories page for more information on Russian state-sponsored malicious cyber activity. The agencies seemingly released the CSA as part of an occasional series of joint cybersecurity advisories.
January 13 to 14: Ukrainian websites defaced
Following a breakdown of diplomatic talks between Russia and the West intended to forestall a threatened Russian invasion of Ukraine, hackers launched defacement attacks that brought down dozens of Ukrainian government websites, including the Ministry of Foreign Affairs, the Ministry of Education, and others. The hackers posted a message that said, “Be afraid and expect the worst.”
The message also warned Ukrainians that “All your personal data has been sent to a public network. All data on your computer is destroyed and cannot be recovered,” and raised historical grievances between Poland and Ukraine. Ukraine’s State Bureau of Investigations (SBI) press service said that no data was stolen in the attack.
Although Ukraine did not attribute the attacks to Russia definitively, the European Union’s chief diplomat Josep Borrell hinted that Russia was the culprit. Serhiy Demedyuk, deputy secretary of Ukraine’s national security and defense council, preliminarily pinned the attacks on a hacker group linked to Belarusian intelligence known as UNC1151. Belarus is a close ally of Russia.
The European Union (EU) condemned the attacks and said it stands “ready to provide additional, direct, technical assistance to Ukraine to remediate this attack and further support Ukraine against any destabilizing actions, including by further building up its resilience against hybrid and cyber threats.” NATO Secretary-General Jens Stoltenberg said that his cyber experts in Brussels were exchanging information with their Ukrainian counterparts on the malicious cyber activities and would sign an agreement on enhanced cyber cooperation.
January 14: Russia takes down REvil ransomware group
In what appeared to be a surprise demonstration of U.S.-Russian collaboration, Russia’s FSB domestic intelligence service said that it dismantled ransomware crime group REvil at the request of the United States in an operation that resulted in the arrest of the group’s members. The announcement was made even as the attacks on the Ukraine websites were underway.
A senior administration official notably stopped short of confirming that the arrests were made at the administration’s request. The official did say they were the product of the “president’s commitment to diplomacy and the channel that he established and the work that has been underway in sharing information and in discussing the need for Russia to take action.”
January 15: Microsoft reveals discovery of malware on Ukrainian websites
Microsoft said it observed destructive malware disguised as ransomware in systems belonging to dozens of Ukrainian government agencies and organizations that work closely with the Ukrainian government. Microsoft didn’t specify which agencies and organizations were targeted but said they “provide critical executive branch or emergency response functions,” as well as an IT firm that manages websites for public and private sector clients, including government agencies whose websites were recently defaced.
If activated by the attacker, the wiper malware would render the infected computer system inoperable. Microsoft’s Threat Intelligence Center (MSTIC) issued a technical post outlining the malware, saying that while designed to look like ransomware, it lacked a ransom recovery mechanism, was intended to be destructive and was built to render targeted devices inoperable rather than to obtain a ransom.
MSTIC found no notable associations between the observed activity, tracked as DEV-0586, and other known activity groups. Microsoft has implemented protections to detect this malware family, known as WhisperGate, via Microsoft Defender Antivirus and Microsoft Defender for Endpoint.
January 16: Ukraine blames Russia for attack on Ukrainian websites
Ukraine’s Ministry of Digital Transformation said that all the evidence points to the fact that Russia is behind the recent attacks on Ukraine’s government websites. “The latest cyberattack is one of the manifestations of Russia’s hybrid war against Ukraine, which has been going on since 2014,” the ministry said.
Speaking on the CBS news program Face the Nation, Jake Sullivan, U.S. National Security Advisor, said the attacks on the Ukraine websites “is part of the Russian playbook, so it would not surprise me one bit if it ended being attributed to Russia.” Separately, NATO made good on its promise to sign a deal to bolster its cybersecurity support for Ukraine.
Unanswered questions regarding Russia’s cyber activity in Ukraine
Many unknowns surround this flurry of Russia-related cyber activity. These are the key unanswered questions:
Who are the attackers? The unknowns start with the absence of solid attribution of who the Ukraine attackers are. Despite the claims, no definitive research that confirms attribution has been released.
Is the REvil take-down related to the cyber incidents in Ukraine? It’s also unclear if the timing of Russia’s arrests of the REvil gang members is connected with the cyber incidents in Ukraine. Chris Painter, the former coordinator for cyber issues at the U.S. State Department, tells CSO that “just like the U.S., Russia can walk and chew gum at the same time, but the timing is very interesting and could be seen as a message saying, look, we can cooperate on things, but if you sanction us further, then all bets are off, and you can forget about it.”
He also doubts that Russia can sustain its cooperation on cybersecurity matters. “Russia doesn’t have a great track record in cooperating on even criminal cases for many years, and I’ve dealt with them for many years on this.”
Are the website defacements and the destructive malware that Microsoft discovered linked? Ukraine’s Demedyuk said the defacement attackers were “just a cover for more destructive actions that were taking place behind the scenes and the consequences of which we will feel in the near future.” Some cybersecurity experts speculate that there is such a connection but that the attacks were poorly executed in a superficial “combined arms operation” between two different actors, leading to synchronization failures.
Painter thinks it’s possible that the malicious actor launched the defacement attacks to tie up precious cybersecurity resources while surreptitiously launching the more severe malware attacks. “It could be that they did the defacements to divert resources so that it’d be harder for people to respond to the more serious stuff,” he says.
Are more attacks coming? Another unknown is whether the defacement and malware attacks are just opening salvos in what might be more disruptive cyber incidents in Ukraine and elsewhere. Microsoft warns that “It is possible more organizations have been infected with this malware, and the number of impacted organizations could grow.” Painter says, “I suspect that there probably are other intrusions if this is a prelude to a physical attack, or even if not.”
All organizations should immediately investigate
Concerns over malicious Russian activity are not limited to Ukraine. In its technical advisory, Microsoft said, “We strongly encourage all organizations to immediately conduct a thorough investigation and to implement defenses using the information provided in this post.”
Painter advises all organizations to heed the joint alert by CISA, NSA, the FBI. Cybersecurity personnel should “absolutely follow the guidance and the warnings that CISA and FBI put out,” he says. “The government is saying this one’s particularly important.”