‘Russian’ Wiper Malware: ‘Prelude to war’ in Ukraine

Ukraine, surrounded on three sides by massed Russian military, is again under malware attack. And the tactics look strikingly similar to 2017’s NotPetya hack on Ukraine by the Russian GRU.

This time, as in 2017, government networks have been infected by what looks like ransomware, but is actually destructive “wiper” code. It seems to have sneaked in under cover of last week’s website vandalism, which Russia is also accused of perpetrating—albeit as a false-flag attack, making it look like it was Polish hackers.

Yet Putin is also helping Biden—by arresting alleged REvil gang members. In today’s SB Blogwatch, we ponder an ulterior motive.

Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: Enjoy the balance.

Operation Himmler Redux?

What’s the craic? David E. Sanger reports—“Destructive Cyberattack on Ukrainian Computer Networks”:

Prelude to a ground invasion
The code appears to have been deployed around the time that Russian diplomats, after three days of meetings with the United States and NATO over the massing of Russian troops at the Ukrainian border, declared that the talks had essentially hit a dead end. Ukrainian officials … said they suspected Russian involvement.

The code … is meant to look like ransomware — it freezes up all computer functions and data, and demands a payment in return. But there is no infrastructure to accept money, leading investigators to conclude that the goal is to inflict maximum damage.

For President Vladimir V. Putin of Russia, Ukraine has often been a testing range for cyberweapons. … Some defense experts have said such an attack could be a prelude to a ground invasion. … Others think it could substitute for an invasion, if the attackers believed a cyberstrike would not prompt the kind of major sanctions that President Biden has vowed to impose.

And Andy Greenberg adds historical context—“Destructive Hacks Against Ukraine Echo Its Last Cyberwar”:

NotPetya
For weeks, the cybersecurity world has braced for destructive hacking that might accompany or presage a Russian invasion of Ukraine. Now, the first wave of those attacks appear to have arrived. [It] uses techniques that hint at a rerun of Russia’s massively disruptive campaign of cyberwar that paralyzed Ukraine … in years past.

The malware’s destructive techniques … carry eerie reminders of data-wiping cyberattacks Russia carried out against Ukrainian systems from 2015 to 2017. … A group of hackers known as Sandworm, later identified as part of Russia’s GRU military intelligence agency, used [similar] malware … to wipe hundreds of PCs inside Ukrainian media, electric utilities, railway system, and government agencies. [It] culminated with Sandworm’s release of the NotPetya worm.

Horse’s mouth? Microsoft’s Tom Burt—“Malware attacks targeting Ukraine government”:

Cybersecurity community
The malware is disguised as ransomware but, if activated by the attacker, would render the infected computer system inoperable. … We have not identified notable overlap between … the group behind these attacks and groups we’ve traditionally tracked, but we continue to analyze.

We have also notified each of the impacted organizations we have identified so far, partnered with other cybersecurity providers to share what we know, and notified appropriate government agencies in the United States and elsewhere. … We will continue to work with the cybersecurity community to identify and assist targets and victims. … We see no indication so far that these attacks utilize any vulnerability in Microsoft products and services.

Aside from presumed motive, why should we think this was Russia? Euromaidan Press concludes a false-flag op:

Russian version
Ukraine is under a massive cyberattack purporting to originate from Poland. We found out that the hackers used a Russian translation service and weren’t Polish or Ukrainian natives.

We used Google Translate and its Russian clone, Yandex Translate, to machine-translate the text’s each version into two other languages, which showed that hackers had used Yandex. … The Ukrainian text has a mistake which is pretty hard to make for a native speaker, while … the Polish version “is written in a way that suggests that a not very good translator was used,” which leaves Russian version the best candidate.

Surrounded on three sides? High profile false-flag operation? Precordial thump sounds worried:

Ukraine in 2022 is starting to look just like Poland in 1939.

But what do we know about the group? Think back to last week’s news. Here’s Christopher Burgess—“Russia’s FSB Arrests REvil Players”:

At the request of the United States
The FSB, in a joint effort with the Ministry of Internal Affairs (MVD) executed a successful takedown of individuals associated with REvil in a series of coordinated efforts. … The raids, which included searching 25 addresses, resulted in the arrest of 14 individuals and the seizure of 426 million rubles ($5.6 million) including cryptocurrency, USD$600,000, Euro €500,000, computer equipment, cryptocurrency wallets and 20 premium cars.

The FSB noted that their actions were made at the request of the United States.

Is that the real reason? Elwood_87 thinks not:

Now we know why Putin finally did something about that ransomware gang. He wanted to militarize their talents in his bid to invade Ukraine. This won’t end well.

O RLY? Plest imagines the scene:

Well we know what happen 5mins after the FSB busted into the room: “Listen guys, you sign this document and you take the government cyberhacking jobs—or you’d better … have packed plenty of warm underwear ‘cos it gets really cold up in those hidden Siberian gulags this time of year.”

Wanna bet? Don’t, suggests jamesb2147:

You'd lose your shirt
This shows “goodwill progress” in the relationship between Russia and the US, which makes it harder for the US to justify the firmest tactics when Russia invades Ukraine in the coming weeks. Coincidence is possible, but with Russia, you’d lose your shirt betting on it.

Meanwhile, did someone say, “Highly destructive form of malware”? Rosco P. Coltrane can’t resist:

It’s called Windows.

And Finally:

Get the silence right

Previously in And Finally


You have been reading SB Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites … so you don’t have to. Hate mail may be directed to @RiCHi or [email protected]. Ask your doctor before reading. Your mileage may vary. E&OE. 30.

Image sauce: Steve Harvey (via Unsplash)

Richi Jennings

Richi Jennings is a foolish independent industry analyst, editor, and content strategist. A former developer and marketer, he’s also written or edited for Computerworld, Microsoft, Cisco, Micro Focus, HashiCorp, Ferris Research, Osterman Research, Orthogonal Thinking, Native Trust, Elgan Media, Petri, Cyren, Agari, Webroot, HP, HPE, NetApp on Forbes and CIO.com. Bizarrely, his ridiculous work has even won awards from the American Society of Business Publication Editors, ABM/Jesse H. Neal, and B2B Magazine.

richi has 596 posts and counting.See all posts by richi