Attacks and Vulnerabilities
CISA
Critical infrastructure
News

Microsoft identifies destructive malware operations targeting multiple organizations in Ukraine

January 18, 2022
Microsoft identifies destructive malware operations targeting multiple organizations in Ukraine

The Microsoft Threat Intelligence Center (MSTIC) said on Saturday that it has identified evidence of a destructive malware operation targeting multiple organizations in Ukraine, which first appeared on victim systems in Ukraine on Jan. 13. The large-scale cyberattack brought down several Ukrainian government and ministries websites, including the ministry of foreign affairs and the education ministry.

According to a New York Times report, Ukraine’s Ministry of Digital Development said in a statement on Sunday that several government agencies had been struck by destructive malware, presumably the same code that Microsoft reported.

“All evidence indicates that Russia is behind the cyberattack,” the statement said. “Moscow continues to wage a hybrid war and is actively building up its forces in the information and cyberspaces.”

After bringing down the Foreign Affairs website, a message was posted that reads in part: “Ukrainians!…All information about you has become public, be afraid and expect worse.” 

The cyberattacks on Ukraine come even as Russian troops are massed on its borders in a move that aims to get the country under greater Russian control and wean it from NATO (North Atlantic Treaty Organization). 

The Ukrainian attacks came at about the same time as Russia said that it had arrested members of the REvil hacker group, whose attacks led to production disruptions at meat supplier JBS. 

Looking at the current situation in Ukraine, cyber warfare is a central tenet of the Russian offensive strategy, Jonathon Gordon, directing analyst at Takepoint Research, told Industrial Cyber. “While not too long ago, critical infrastructure would have been in the crosshairs of a strategic bomber, the same ‘shock and awe’ can be delivered from a keyboard half a world away. This is not the realm of science fiction nor the naysayers, this has long since become fact!” he added. 

Forget the vendor use cases, Ukraine is an abject lesson for all those tasked with protecting critical infrastructure, Gordon added.

Reacting to the destructive malware, Microsoft revealed that it has “notified each of the impacted organizations we have identified so far, partnered with other cybersecurity providers to share what we know, and notified appropriate government agencies in the United States and elsewhere. It is possible more organizations have been infected with this malware and the number of impacted organizations could grow. We will continue to work with the cybersecurity community to identify and assist targets and victims.”

Microsoft had identified intrusion activity originating from Ukraine that appeared to be possible Master Boot Records (MBR) Wiper activity. “During our investigation, we found a unique malware capability being used in intrusion attacks against multiple victim organizations in Ukraine,” researchers wrote in its latest blog post

Microsoft observed that the malware resides in various working directories. “In the observed intrusions, the malware executes via Impacket, a publicly available capability often used by threat actors for lateral movement and execution. The two-stage malware overwrites the Master Boot Record (MBR) on victim systems with a ransom note. The MBR is the part of a hard drive that tells the computer how to load its operating system. The ransom note contains a Bitcoin wallet and Tox ID (a unique account identifier used in the Tox encrypted messaging protocol) that have not been previously observed by MSTIC,” it added.

The destructive malware executes when the associated device is powered down. Overwriting the MBR is atypical for cybercriminal ransomware. In reality, the ransomware note is a ruse, and the malware destructs MBR and the contents of the files it targets.

In the second part of the file corrupter malware, ​​Stage2.exe is a downloader for the malicious file corrupter malware. Upon execution, stage2.exe downloads the next-stage malware hosted on a Discord channel, with the download link hardcoded in the downloader. The next-stage malware can best be described as a malicious file corrupter. Once executed in memory, the corrupter locates files in certain directories on the system with a hardcoded file extension. 

If a file carries any of the extensions, “the corrupter overwrites the contents of the file with a fixed number of 0xCC bytes (total file size of 1MB). After overwriting the contents, the destructor renames each file with a seemingly random four-byte extension. Analysis of this malware is ongoing,” Microsoft added.

“The malware is disguised as ransomware but, if activated by the attacker, would render the infected computer system inoperable. We’re sharing this information to help others in the cybersecurity community look out for and defend against these attacks,” Tom Burt, Microsoft’s corporate vice president for customer security and trust, wrote in a blog post. At this time, “we have not identified notable overlap between the unique characteristics of the group behind these attacks and groups we’ve traditionally tracked but we continue to analyze the activity,” he added.

Given the scale of the observed intrusions, MSTIC said that it is not able to assess the intent of the identified destructive actions but does believe these actions represent an elevated risk to any government agency, non-profit, or enterprise located or with systems in Ukraine. “We strongly encourage all organizations to immediately conduct a thorough investigation and to implement defenses,” the post added.

As with any observed nation-state actor activity, Microsoft directly and proactively notifies customers that have been targeted or compromised, providing them with the information they need to guide their investigations, the company said.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) released an alert on Sunday calling on network defenders to review the Microsoft blog for tactics, techniques, and procedures (TTPs), as well as indicators of compromise (IOC) related to this activity. 

According to Microsoft, powering down the victim device executes the malware, which overwrites the MBR with a ransom note; however, it is a ruse because the malware destroys the MBR and the targeted files, CISA wrote in its alert.

Anna Ribeiro

A complimentary guide to the who`s who in industrial cybersecurity tech & solutions

Free Download

Related

Hackers target Tipton Municipal Utilities wastewater treatment plant, prompting federal investigation
Hackers target Tipton Municipal Utilities wastewater treatment plant, prompting federal investigation
New CGCYBER report warns of cybersecurity risks in marine environment due to network-connected OT systems
New CGCYBER report warns of cybersecurity risks in marine environment due to network-connected OT systems
Ukrainian CERT details malicious plan by Sandworm group to disrupt critical infrastructure facilities
Ukrainian CERT details malicious plan by Sandworm group to disrupt critical infrastructure facilities
DC3, DCSA collaborate to launch vulnerability disclosure program for defense industrial base
DC3, DCSA collaborate to launch vulnerability disclosure program for defense industrial base
Waterfall’s WF-600 unidirectional security gateway brings 'unbreachable protection' to OT/ICS networks
Waterfall, 2TS enter into cybersecurity alliance for African market
Honeywell’s 2024 USB Threat Report reveals significant rise in malware frequency, highlighting growing concerns
Honeywell’s 2024 USB Threat Report reveals significant rise in malware frequency, highlighting growing concerns
CISA declares winners of President’s Cup cybersecurity competition, with Artificially Intelligent team leading
CISA declares winners of President’s Cup cybersecurity competition, with Artificially Intelligent team leading
Enhancing industrial cybersecurity by tackling threats, complying with regulations, boosting operational resilience
Enhancing industrial cybersecurity by tackling threats, complying with regulations, boosting operational resilience
MITRE confirms breach on NERVE network, suspected foreign nation-state actor involved
MITRE confirms breach on NERVE network, suspected foreign nation-state actor involved
Radiflow helps customers achieve NIS2 compliance, spurring growth in Europe
Radiflow, Exclusive Networks partner to elevate OT cybersecurity