Destructive Malware Discovered Targeting Ukrainian SystemsWas Mass Defacement of Government Websites Meant to Serve as a Wiper Smokescreen?
The defacement of multiple Ukrainian government websites last week may have been intended as cover for a destructive malware attack that failed to execute or has yet to be unleashed, some security experts warn.
The defacements occurred Thursday night and Friday morning - local time in Ukraine - as approximately 100,000 Russian troops remained massed on the country's border.
On Saturday, Microsoft reported that it had found multiple attempts to infect Ukrainian government sites with a type of destructive malware it had never seen before, and that the first attack attempts appear to have begun Thursday.
"The malware is disguised as ransomware but, if activated by the attacker, would render the infected computer system inoperable," Tom Burt, head of customer security and trust at Microsoft, says in a blog post.
In terms of the defacements, the Security Service of Ukraine, or SBU, said more than 70 government websites were targeted and 10 defaced. Despite claims to the contrary in the message posted by defacers, "the content of the sites was not changed, and no personal data was leaked," nor were the underlying systems erased and left unrecoverable, the SBU says.
Ukraine's Kyiv-based SBU, Special Communications Service and Cyber Police on Sunday said "all evidence points to the fact that Russia is behind" the defacements and urged citizens not to panic.
The Russian government has denied launching cyberattacks.
UNC1151 Eyed as Potential Culprit
Reuters reported Saturday that Kyiv suspects that an advanced persistent threat group with ties to Belarus, or potentially Russia, that has the codename UNC1151 - aka Ghostwriter - may have been involved.
Belarus is a close ally of Russia and fellow critic of NATO.
"We're not surprised to see Ukraine link their recent mass defacement incident to UNC1151/Ghostwriter, an information operations actor we have been tracking since 2019," says John Hultquist, vice president of intelligence analysis at Mandiant.
"They are regularly active in Eastern Europe, targeting NATO states and carrying out activity consistent with the interests of Belarus and Russia," he says. "Like Ukraine, we have attributed the group to Belarus based on available evidence, but others have indicated they have ties to Russia. We believe these ties are likely, and they are consistent with the group's behavior."
Ukraine says its investigation is continuing.
Teardown: Destructive Malware
In terms of the destructive malware, the Microsoft Threat Intelligence Center, or MSTIC, on Saturday published a technical teardown of the malicious code, including indicators of compromise. MSTIC is urging all users to review their infrastructure for signs of infection and says the attack campaign may remain underway.
"Our investigation teams have identified the malware on dozens of impacted systems and that number could grow as our investigation continues," MSTIC says.
"These systems span multiple government, non-profit and IT organizations, all based in Ukraine," it adds. "We do not know the current stage of this attacker's operational cycle or how many other victim organizations may exist in Ukraine or other geographic locations. However, it is unlikely these impacted systems represent the full scope of impact."
Microsoft says the malware is new, and that it is too early to attribute the attack to any group or nation-state. That's reflected in its codename for the attacks, which is DEV-0586. It notes that DEV refers to "a temporary name given to an unknown, emerging, or a developing cluster of threat activity, allowing MSTIC to track it as a unique set of information until we reach a high confidence about the origin or identity of the actor behind the activity."
@CISAgov recommends network defenders review the Microsoft blog on destructive malware targeting Ukrainian organizations. https://t.co/pVRjvpSJnz #Cybersecurity #InfoSec— US-CERT (@USCERT_gov) January 16, 2022
On Sunday, the U.S. Cybersecurity and Infrastructure Security Agency issued a security advisory pointing to Microsoft's alert and recommended that "network defenders review" the analysis.
Defacers Used Easily Exploitable CMS Flaw
The attempt to infect Ukrainian sites with the destructive malware appears to have happened relatively simultaneously with the website defacements. They took the form of a static image with a message written in Ukrainian, Russian and Polish, which warned Ukrainians to "be afraid and expect the worst," and that data had been stolen from the defaced sites.
"Approximately 79 websites were affected, although that includes multiples from single agencies," says Matt Olney, director of threat intelligence and interdiction at Cisco Talos. "It appears that each of these sites was developed on behalf of the government of Ukraine by a Ukrainian firm named Kitsoft."
Some security experts say all of the sites appeared to be using the October content management system, including a vulnerability in the software, designated CVE-2021-32648. Kitsoft had not yet installed a patch for the flaw, although a fix was released last August.
"It's not a zero-day, and it is not particularly complex to exploit," says Katie Nickels, director of intelligence at managed detection and response firm Red Canary. "To put this into broader context, there are likely millions of websites using content management systems with known vulnerabilities right now."
Mandiant's Hultquist notes that UNC1151, aka Ghostwriter, "regularly targets CMS systems as part of their operations," oftentimes "to plant fabricated media stories and other content on the websites of real media outlets and other organizations."
"They have also previously conducted operations designed to sow division between Ukraine and Poland," he says.
Assessment: False and Inexpertly Laid Trail
That's relevant because the defacement message claimed that the defacements were the work of Polish patriots seeking justice for mass killings in 1943 in Poland - then occupied by Nazi Germans - by a nationalist group called the Ukrainian Insurgent Army.
Ukrainian officials have said the Polish message appeared to be an extremely poor translation from a Russian-language original that they were able to reproduce using the Russian Yandex search engine.
Likewise, an analysis of the attacks published Monday by the computer security incident response team - CSIRT - at Poland's Ministry of Defense notes that the image posted to the defaced websites included GPS coordinates for a parking lot at the Warsaw School of Economics.
"Remember, however, that the graphic file in question, which appeared on the compromised websites, is not a photo, so the geographic data was probably added manually," CSIRT says.
Whoever manually added the data apparently got their coordinates wrong. CSIRT says that it "suspects that the real intention of the adversary was to use the geolocation of the General Staff of the Polish Army to lead potential analysts and the public to a false, controversial trail."
How Are Attacks Connected?
One open question is whether the defacements and malware attack were meant to have been better coordinated. For example, were the defacements intended to appear at the same time that thousands of PCs at dozens of different Ukrainian government agencies were bricked by wiper malware?
"One inference that could be drawn from the poor timing coordination is that the two ops were executed by different threat actors," says the operational security expert known as the Grugq in a blog post.
"Difficulties in managing multi-state multi-service operations could easily lead to synchronization failures," he says. "Coordinating multiple operations is feasible within a single organization. Across multiple services in multiple states however, the difficulties grow exponentially."