Tom Burt, Corporate vice president of customer security and trust at Microsoft reported that “The malware is disguised as ransomware but, if activated by the attacker would render the infected computer system inoperable adding the intrusions were aimed at government agencies that provide critical executive branch or emergency response functions”.
An IT firm that manages websites for public and private sector clients such as government agencies whose websites were recently defaced.
Microsoft’s cybersecurity teams discovered on Saturday that they had discovered evidence of a new destructive malware operation dubbed “WhisperGate” that was targeting government, non-profit, and information technology entities in Ukraine, amidst escalating geopolitical tensions between the country and Russia.
According to Microsoft Threat Intelligence Center (MSTIC) and Microsoft Digital Security Unit (DSU), is a two-stage process that includes
- Overwriting the Master Boot Record (MBR) on a victim’s system to display a fake ransom note urging the target to pay $10,000 to a bitcoin wallet.
- A second-stage executable that retrieves file corrupter malware hosted on a Discord channel, designed to search for files with 189 different extensions, then irreversibly overwrite their contents with a fixed number of 0xCC bytes and rename each file with a seemingly random four-byte extension.
The computing which discovered the malware on January 13, attributed the attacks to an emerging threat cluster codenamed “DEV-0586,” with no observed overlaps in tactics and procedures with previously documented groups. It also stated that the malware was discovered on dozens of impacted systems, a figure that it expects to grow as the investigation progresses.
The news comes after numerous government websites in the Eastern European country were defaced on Friday with a message warning Ukrainians that their personal data was being uploaded to the Internet. The Ukrainian Security Service (SSU) said it discovered “signs” of hacking groups linked to Russian intelligence services.
Finally the researchers concluded that ,” Given the scale of the observed intrusions, MSTIC is unable to assess intent of the identified destructive actions. we believe these actions represent an elevated risk to any government agency, non-profit, or enterprise located or with systems in Ukraine. However, Reuters reported earlier today that the attacks could have been carried out by an espionage group known as UNC1151 and Ghostwriter, which is linked to Belarusian intelligence.“