[ad_1]
Microsoft has revealed the true scale of Russian-backed cyberattacks against Ukraine since the invasion, with hundreds of attempts by multiple Russian hacking groups targeting the country’s infrastructure and Ukrainian citizens.
These attacks also include the use of destructive malware designed to bring down critical systems and disrupt civilian access to critical lifesaving services and trusted information.
“Starting just before the invasion, we have seen at least six Russia-aligned nation-state actors launch more than 237 operations against Ukraine, including destructive attacks that are ongoing and threaten the well-being of civilians,” said Tom Burt, Vice President Microsoft corporate for security and customer trust.
“The destructive attacks have also been accompanied by extensive espionage and intelligence activities. [..] We have also observed limited espionage attack activity involving other NATO member states and some disinformation activity.”
The Microsoft Threat Intelligence Center (MSTIC) observed [PDF] Russian intelligence-linked threat groups GRU, SVR, and FSB (including APT28, Sandworm, Gamaredon, EnergeticBear, Turla, DEV-0586, and UNC2452/2652) prepositioning themselves for conflict and intensifying their attacks against Ukraine and its allies from with March 2021.
Microsoft also noted a direct link between cyberattacks and military operations, with the time between hacking attempts and breaches closely matching that of missile attacks and sieges coordinated by the Russian military.
Among the destructive attacks it observed (nearly 40 between February 23 and April 8) against dozens of organizations in Ukraine, Microsoft says 32% targeted Ukrainian government organizations directly and more than 40% targeted critical infrastructure organizations. .
Microsoft has seen multiple malware families leveraged by Russian threat actors for destructive activities against Ukrainian targets, including WhisperGate/WhisperKill, FoxBlade (also known as HermeticWiper), SonicVote (also known as HermeticRansom), CaddyWiper, DesertBlade, Industroyer2, Lasainraw (also known as IsaacWiper) and FiberLake (also known as DoubleZero).
MTIC has attributed three of them (ie FoxBlade, CaddyWiper and Industroyer2) to Sandworm. Its members are believed to be military hackers who are part of the Russian GRU’s Main Center for Special Technologies (GTsST) Unit 74455.
“WhisperGate, FoxBlade, DesertBlade and CaddyWiper are malware families that overwrite data and make machines unbootable. FiberLake is a .NET capability used for data wipe,” said the Digital Security Unit (DSU). ) from Microsoft. [PDF].
“SonicVote is a file encryptor that is sometimes used in conjunction with FoxBlade. Industroyer2 specifically targets operational technology to achieve physical effects in production and industrial processes.”
Microsoft also discovered that WhisperGate malware was used in data-wiping attacks against Ukraine in mid-January, before the February invasion, disguised as ransomware.
As Microsoft President and Vice President Brad Smith said, these ongoing attacks with destructive malware against Ukrainian organizations and infrastructure “have been precisely targeted.”
They are part of a “massive wave of hybrid warfare”, as the Security Service of Ukraine (SSU) put it, just before the Russian invasion.
The highly targeted and precisely timed nature of this year’s Russian-backed cyberattacks against Ukraine stands in stark contrast to the global indiscriminate NotPetya malware attack that hit countries around the world (including Ukraine) in 2017 and was also linked to hackers. Russian computer scientists GRU Sandworm.
“While much of what Microsoft has observed to date suggests that threat actors DEV0586 and IRIDIUM are operating sparingly in executing destructive attacks by limiting malware deployments to specific target networks,” Microsoft DSU added.
“However, Russia-aligned nation-state actors are actively seeking initial access to government and critical infrastructure organizations around the world, suggesting possible future targets.”
Today’s report follows one published by the Google Threat Analysis Group (TAG) in late March, revealing coordinated phishing attacks by a Russia-based threat group against NATO and European militaries.
Another Google TAG report from early March on malicious activity tied to the Russian war in Ukraine exposed efforts by Russian, Chinese, and Belarusian state hackers to compromise Ukrainian and European organizations and officials.
[ad_2]
