The campaign of computer attacks against Ukrainian government sites that took place on the night of January 13 to 14, 2022 could be much more serious than expected. According to Microsoft, dozens of organizations have been targeted by bogus ransomware hiding corruption and data erasure malware. For kyiv, no doubt, the origin comes from Russia.
How far will tensions between Ukraine and Russia go? The campaign of cyberattacks that raged on the night of January 13 to 14, 2022 did not only target ministries and is undoubtedly much more serious than expected. “Microsoft Threat Intelligence Center assesses that the malware, which is designed to look like ransomware but lacks a ransom recovery mechanism, is intended to be destructive and designed to render targeted endpoints inoperable rather than to obtain a ransom,” said alerted Microsoft this weekend. The reality therefore seems very far from the initial assessment made by the Ukrainian authorities, who had initially indicated “not to have suffered more substantial damage” when several government sites (including that of the Ministry of Foreign Affairs) had fallen and that “the content of the sites has not been modified and no leakage of personal data has taken place”.
In its analysis, Microsoft draws up a darker picture with several dozen or more targets including government agencies as well as non-profit organizations and companies specializing in new technologies. All are located in Ukraine. “We strongly encourage all organizations to immediately conduct a thorough investigation and put in place defenses,” the editor urged.
File destruction and corruption
Microsoft research shows that the perpetrators of these cyberattacks did not aim to demand ransoms but to corrupt and destroy data via boot record erasing (MBR) malware. After a first ransom notification stage, the malware resides in different directories like C:PerfLogs, C:ProgramData, C: and C:temp, and is often named stage1.exe. “In observed intrusions, the malware executes via Impacket, a publicly available capability often used by threat actors for lateral movement and execution. “The malware runs when the associated device is turned off. MBR overwriting is atypical for ransomware. In reality, the ransomware note is a ruse and the malware destroys the MBR and the contents of the files it targets,” warns the editor.
In addition to erasing, file corruption actions are also part of it. Once on the compromised systems, the cyberhackers activate a Discord link to download a data corrupter: which will locate files in certain system directories (JPG, PDF, SQL, backup, etc.). The following then flows naturally: “the corrupter overwrites the contents of the file with a fixed number of 0xCC bytes (total file size of 1 MB). After overwriting the contents, the destructor renames each file with a seemingly random four-byte extension,” Microsoft notes. To limit breakage, the editor pushes a few best practices to be implemented such as reviewing all authentication activities for the remote access infrastructure, with particular emphasis on accounts configured with single factor authentication. , to confirm authenticity and investigate any anomalous activity. Enable Multi-Factor Authentication (MFA) to mitigate potentially compromised credentials and ensure MFA is enforced for all remote connectivity. Much like Controlled Folder Access (CFA) in Defender for Endpoint to prevent modification of MBR/VBR.
An explosive geopolitical situation
While the role of Russia in these malicious operations had been suggested, the Ukrainian authorities clarified this point by announcing that they even have proof that the Kremlin is indeed behind these attacks. “To date, all evidence points to Russia being behind the cyberattack,” the Ministry of Digital Transformation said in a statement. This sabotage “is a manifestation of the hybrid war that Russia has been waging against Ukraine since 2014”, assured the ministry. The objective is “not only to intimidate society”, but also to “destabilize the situation in Ukraine” by “undermining Ukrainians’ confidence in their power”. The announcement of the return on January 17 of the former President of Ukraine Petro Poroshenko to the country is not likely to calm the situation. Exiled to Warsaw for a month, the former leader and opponent of President Volodymyr Zelensky and a fervent defender of a very severe line of action against Moscow, risks being imprisoned at any time. Germany, for its part, undertakes to “guarantee Ukraine’s security” in the face of Russia.