Microsoft stated late Saturday that damaging malware disguised as ransomware had infected dozens of computer systems at an undefined number of Ukrainian government entities, implying that an attention-getting defacement attack on official websites was a diversion. The extent of the damage was unclear at the time. The attack comes as Russia threatens to invade Ukraine, and diplomatic efforts to end the tense standoff appear to be stopped.

Microsoft originally discovered the malware on Thursday, according to a brief blog post that sounded an industry alarm. That would correspond to the attack that took down more than 70 government websites at the same time. Following a Reuters article earlier in the day claiming a top Ukrainian security official as saying the defacement was certainly cover for a malicious attack, the disclosure was made.
Separately, a prominent private sector cybersecurity executive in Kyiv explained how the hack was successful to The Associated Press: In a so-called supply-chain attack similar to the 2020 SolarWinds Russian cyberespionage effort targeting the US government, the intruders gained access to federal networks through a shared software provider. The compromised systems “cross several government, non-profit, and information technology organizations,” Microsoft wrote in a separate technical post. It claimed it didn’t know how many additional organizations in Ukraine or abroad would be compromised, but that more infections were likely.
“The virus is camouflaged as ransomware, but it would render the targeted computer system useless if activated by the attacker,” Microsoft warned. In a nutshell, it doesn’t have a ransom recovery mechanism. The malware “executes when an attached device is shut down,” according to Microsoft, which is a common first reaction to a ransomware attack.
Microsoft stated that it had not yet been able to determine the damaging activity’s goal or link it to any known threat actors. According to Reuter’s, Ukrainian security official Serhiy Demedyuk said the attackers used malware identical to that used by Russian intelligence. He is the National Security and Defense Council’s deputy secretary.
According to preliminary findings, the site defacement was perpetrated by “hacker organizations associated to Russia’s intelligence agencies,” according to Ukraine’s Security Service, the SBU. Moscow has denied any involvement in cyberattacks against Ukraine on several occasions. Tensions with Russia have risen in recent weeks, with Moscow’s amassing of an estimated 100,000 troops near Ukraine’s border. Experts predict that any invasion will have a cyber component, which is crucial in today’s “hybrid” warfare.
The defacement “was only a cover for more harmful operations that were going place behind the scenes and the effects of which we will experience in the near future,” Demedyuk told Reuters in written comments. The narrative did not go into detail, and Demedyuk could not be reached for comment right away.
According to the Associated Press, Oleh Derevianko, a top private sector specialist and founder of the ISSP cybersecurity firm, does not know the extent of the damage. He said that it’s also unclear what else the attackers may have accomplished after breaking into KitSoft, which the developer used to spread the malware. With the NotPetya virus, Russia attacked Ukraine with one of the most catastrophic cyberattacks on record, causing more than $10 billion in global damage. That virus, which was also known as ransomware, was a “wiper” that wiped out entire networks.
Ukraine has the terrible distinction of serving as the world’s proving ground for cyberwarfare. Hackers sponsored by Russia’s government nearly foiled the country’s national elections in 2014, briefly paralyzing parts of the country’s power grid in the winters of 2015 and 2016.
A note left by the attackers in Friday’s huge web defacement claimed the attackers had destroyed data and posted it online, which Ukrainian police denied.
“Be afraid and expect the worst,” the letter warned Ukrainians. Since 2017, Ukrainian cybersecurity experts have been bolstering critical infrastructure defenses with more than $40 million in US aid. Russian attacks on the electricity system, rail network, and central bank are of special concern to them.