Microsoft’s cybersecurity experts discovered evidence of a new malware operation nicknamed “WhisperGate” targeting government, non-profit, and IT organizations in Ukraine, and building geopolitical tensions with Russia.
The threat is camouflaged as ransomware, but when activated by the attacker, it renders the infected computer system useless, according to Microsoft.
The malware has attacked numerous targets, among which is an IT firm that maintains websites for public and private sector clients, including government institutions’ websites.
The computer giant has attributed the attacks to a new threat cluster designated “DEV-0586” which has no commonalities in tactics or attacks with other known criminal groups. The malware was identified on dozens of systems, and the number is expected to grow as the investigation proceeds.
The WhisperGate attack chain is a two-stage process, according to Microsoft Threat Intelligence Center and Microsoft Digital Security Unit.
In the first stage, a phony ransom message urging the target to pay $10,000 to a bitcoin wallet is displayed after overwriting the Master Boot Record (MBR) on a victim’s system.
A second-stage executable that searches for files with 189 different extensions, then overwrites their contents with a predetermined number of 0xCC bytes and renames each file with a supposedly random four-byte extension.
On Friday, multiple Ukrainian government websites were defaced with a message informing Ukrainians that their personal data was being accessible on the internet. The Ukrainian Security Service stated it has detected “signs” of involvement of hacking organizations linked to Russian intelligence services.
While this isn’t a true ransomware attack, here are some good pieces of advice for protection that still apply:
- Regularly check for exposure and out-of-date services. Inspect and repair any exposed services, prioritizing those with known vulnerabilities. Threat actors regularly explore the internet for publicly accessible assets with exploitable vulnerabilities to get first access.
- Train employees on phishing and use email security solutions to reduce the risk of malicious emails. To acquire an early foothold, threat actors often use phishing operations with infected documents.
- Ensure your environment has robust Anti-Virus/Endpoint Detection and Response coverage to enable maximum visibility into exploit/threat activity.
- Regularly backup all key systems and data. Maintain offline backups for further security.
- Use complicated passwords and Multi-Factor Authentication everywhere (including third-party accounts).
Microsoft’s Threat Intelligence Center cannot assess the intent of identified harmful actions, but, due to the scale of observed intrusions, the researchers believe these WhisperGate attacks pose a high risk to any government agency, non-profit, or corporation situated in Ukraine or with systems there.