Microsoft discovers destructive malware in Ukrainian government networks

Ultimate aim may be to wipe out data at the time of the attacker's choosing, the company warns

Microsoft warned on Saturday that it had discovered a highly destructive form of malware in dozens of government and private computer networks in Ukraine that looked to be waiting to be triggered by an unknown threat actor.

Tom Burt, corporate vice president of customer security and trust at Microsoft, said in a blog post that the presence of the malware was first detected on Thursday, 13 January, coinciding with an attack that brought down nearly 70 government websites, which Ukraine has pinned on Russia.

According to Microsoft, the malware is designed to look like ransomware, although its ultimate aim may be to wipe out sensitive data at the hackers' direction.

"While our investigation is continuing, MSTIC has not found any notable associations between this observed activity, tracked as DEV-0586, and other known activity groups," Microsoft said.

It added that the malware has already been identified on dozens of infected systems across several government, IT and non-profit organisations in Ukraine.

An IT firm that manages websites for public and private sector customers, including government institutions whose websites were recently attacked, is among the targets of the malware.

Microsoft Threat Intelligence Center (MSTIC) observed in its analysis that the two-stage Windows malware overwrites the part of a hard drive that directs the machine how to load the operating system and replaces the commands with a ransom note.

The ransom message contains details of a Bitcoin wallet and an account identifier used in the Tox encrypted messaging protocol. Microsoft said neither of them had been previously observed by its research teams.

The malware itself acts as a malicious file corrupter that looks for files in specific directories on the compromised system, and after overwriting the file's contents, it renames each file with a random four-byte extension.

Microsoft warning comes after multiple governments websites in Ukraine were attacked and defaced on Thursday, with a message telling Ukrainians citizens that their personal information was being leaked on the Internet.

The Ukrainian Security Service (SSU) said it had founds signs of cyber actors linked to Russian intelligence services involved in the attacks.

The cyberattacks against Ukraine government websites comes as the possibility of a Russian military attack looms and diplomatic negotiations to resolve the tense stand-off appear to have stagnated.

Russia has sent an estimated 100,000 soldiers along Ukraine's border, and analysts predict that any invasion would also include a cyber component.

A high-level discussion in Vienna involving NATO, United States, and Russian envoys appears to be going nowhere, according to the Russian side.

The Ukrainian security official, Serhiy Demedyuk, told Reuters that the defacement of government websites was just a cover for more harmful activities that were happening behind the scenes and the effects of which will be felt in the near future.

In the past, hacker organisations suspected of having ties with Russian intelligence services have carried out multiple attacks against Ukraine.

In 2017, Russia struck Ukraine with one of the most damaging cyberattacks on record with the NotPetya virus that cost more than $10 billion in worldwide damage. The virus, which was also disguised as ransomware, erased entire networks of victim organisations.

Earlier in 2015, an attack on the country's electricity grid left 200,000 people without power.