Microsoft discloses malware attack on Ukraine govt networks

In this undated handout photo released by Ukrainian Foreign Ministry Press Service, the building of Ukrainian Foreign Ministry is seen during snowfall in Kyiv, Ukraine. Ukrainian officials and media reports say a number of government websites in Ukraine are down after a massive hacking attack. While it is not immediately clear who was behind the attacks, they come amid heightened tensions with Russia and after talks between Moscow and the West failed to yield any significant progress this week. (Ukrainian Foreign Ministry Press Service via AP)

Microsoft said on Saturday that dozens of computer systems in an unknown number of Ukrainian government agencies were infected with destructive malware disguised as ransomware, a revelation that suggests a defacement attack that draws attention to official websites was a diversion. 

The extent of the damage was not immediately clear. The attack comes as the threat of a Russian invasion of Ukraine looms and diplomatic talks to resolve the tense standoff appear to have stalled. Microsoft said in a short blog post that this amounted to the sound of an industry alert that it first detected the malware on Thursday.

This would coincide with the attack which temporarily took some 70 government websites offline. The disclosure followed a Reuters report earlier in the day quoting a senior Ukrainian security official as saying the disfigurement was indeed a cover for a malicious attack.

Separately, a senior private sector cybersecurity official in Kyiv told The Associated Press how the attack was successful: intruders entered government networks through a shared software vendor in a self -so-called SolarWinds 2020 Russian cyber-espionage campaign-style supply chain attack against Microsoft said in another technical article that the affected systems “spread across multiple government, non-profit, and  technology and information Technology Organization.

 “The malware is disguised as ransomware but, if activated by the attacker, would render the infected computer system inoperable,” Microsoft said. In short, there is no ransom recovery mechanism. 

Microsoft said the malware “runs when an associated device is turned off,” a typical initial reaction to a ransomware attack. Microsoft said it was not yet able to assess the purpose of the destructive activity or associate the attack with a known threat actor. 

Ukrainian security official Serhiy Demedyuk was quoted by Reuters for claiming that the attackers used malware similar to that used by Russian intelligence services. He is Deputy Secretary of the National Security and Defense Council.