…and it has begun! Technology has altered the playbook of warfare; now it’s a war without bullets
On January 13, Microsoft identified intrusion activity originating from Ukraine that appeared to be possible Master Boot Records (MBR) Wiper activity. During the investigation, the US company found a unique malware capability being used in intrusion attacks against multiple victim organizations in Ukraine. The country was at the frontlines of a cyberwar that could soon engulf other nations in the world, and turn it into a global conflict. The discovery of the wiper software, dubbed “WhisperGate” by Microsoft, was “particularly alarming,” because previous outbreaks of this type of software had caused world-wide disruptions, per the US Cybersecurity and Infrastructure Security Agency (CISA).
China might join the war
Cyberthreat analyst company, Mandiant, has warned that the crisis in Ukraine has proven to be a catalyst for the additional aggressive cyber activity that would likely increase as the situation deteriorates. The company had been anticipating this activity and forewarned that future activity will not be restricted to Ukrainian targets or the public sector. It had in a report on cyber threats predictions for 2022, said that Russia would maintain an aggressive posture throughout 2022, with a sustained emphasis on targeting NATO, Eastern Europe, Ukraine, Afghanistan and the energy sector. The forecast had also included threats from China saying: “As geopolitical tensions continue to rise, the big question is ‘When are we going to see China flex some of their known but as-yet-unused destructive capabilities?’”
War without bullets
Technology has altered the playbook of warfare. The first phase of any way today will begin with a crippling attack on a nations’ digital assets, communication networks, and information systems. Though Russia has amassed 127,000 troops, military hardware, and ships to surround the small east European country, a former member of the erstwhile Soviet Bloc, not a single shot has been fired, nor has any boots crossed the borders, and yet the war has already begun.
A few weeks ago, hackers defaced dozens of government websites in Ukraine, a technically simple but attention-grabbing act that generated global headlines. More quietly, they also placed destructive malware inside Ukrainian government agencies, an operation first discovered by researchers at Microsoft. It’s not clear yet who is responsible, but Russia is the leading suspect.
Following this attack, the US crime fighting agency FBI and police from multiple European countries and Canada took down 15 computer servers that were used in “major international cyberattacks.” Europol, the European Union’s law enforcement agency, said that after seizing the servers, investigators had identified “more than 100 businesses” that were at risk of being hacked by cybercriminals, including ransomware groups.
Malware masquerading as ransomware
An investigation by Microsoft Threat Intelligence Center(MSTIC) found evidence of the introduction of destructive malware into the systems of many organizations in Ukraine. The software had targeted government departments that provide mission-critical executive functions, the probe revealed. MSTIC assessed that malware that looks like ransomware but lacks a recovery mechanism after receiving payment is designed to disable targeted devices, not to collect ransom.
The overwrites the Master Boot Record (MBR) on victim systems with a ransom note (Stage 1). The MBR is the part of a hard drive that tells the computer how to load its operating system. The ransom note contains a Bitcoin wallet and Tox ID (a unique account identifier used in the Tox encrypted messaging protocol) that have not been previously observed by MSTIC.
The malware executes when the associated device is powered down. Overwriting the MBR is atypical for cybercriminal ransomware. In reality, the ransomware note is a ruse, and that the malware destructs MBR and the contents of the files it targets. There are several reasons why this activity is inconsistent with cybercriminal ransomware activity observed by MSTIC, including:
- Ransomware payloads are typically customized per victim. In this case, the same ransom payload was observed at multiple victims.
- Virtually all ransomware encrypts the contents of files on the filesystem. The malware in this case overwrites the MBR with no mechanism for recovery.
Microsoft then implemented protections to detect this malware family as WhisperGate (e.g., DoS: Win32/WhisperGate.A!dha) via Microsoft Defender Antivirus and Microsoft Defender for Endpoint, wherever these were deployed on-premises and cloud environments.
To spill over to Europe and US
MIT Technology Review reported that while Ukraine continues to feel the brunt of Russia’s attacks, government and cybersecurity experts are worried that these hacking offensives could spill out globally, threatening Europe, the US, and beyond.
On January 18, CISA of the US warned critical infrastructure operators to take “urgent, near-term steps” against cyber threats, citing the recent attacks against Ukraine as a reason to be on alert for possible threats to US assets. The agency also pointed to two cyberattacks from 2017, NotPetya and WannaCry, which both spiralled out of control from their initial targets, spread rapidly around the internet, and impacted the entire world at a cost of billions of dollars. The parallels are clear: NotPetya was a Russian cyberattack targeting Ukraine during a time of high tensions.
Russian military a strong threat
Experts anticipate cyber operations from Russia’s military intelligence agency GRU, the organization behind many of the most aggressive hacks of all time, both inside and outside Ukraine. The GRU’s most notorious hacking group, dubbed Sandworm by experts, is responsible for a long list of greatest hits including the 2015 Ukrainian power grid hack, the 2017 NotPetyahacks, interference in US and French elections, and the Olympics opening ceremony hack in the wake of a Russian doping controversy that left the country excluded from the games.
Warnings have been issued about another group, known to experts as Berserk Bear, that originates from the Russian intelligence agency FSB. In 2020, US officials warned of the threat the group poses to government networks. The German government said the same group had achieved “longstanding compromises” at companies as they targeted energy, water, and power sectors.
Though the European Union and the US helped Ukraine to mitigate the damage from the recent cyberattacks, the harm has already been done. CISA has issued a warning to those working with Ukrainian organizations, to take extra care to monitor, inspect, and isolate traffic from those organizations; closely review access controls for that traffic.
The coming misinformation war
Planting misinformation could be the next phase of cyberattacks on Ukraine, specifically if its enemies were interested in stirring up political trouble to overthrow the current government. The perpetrators of attacks often fabricate evidence of culpability or make false statements of responsibility designed to suggest that some other party is responsible for the incident. They plant evidence in code and make public statements that suggest incidents were carried out by previously unknown nationalist elements, criminals, or government hackers. On multiple occasions, wipers have masqueraded as ransomware, as in the case of the most recent incident in Ukraine. Though these “false flags” are often paper-thin, they complicate efforts to convince the public of attribution and make these operations more deniable.