A major computer attack hit Ukraine again a few days ago. According to Microsoft, which is monitoring this subject, it is not the money that interests the authors, but the functioning of the government’s IT structure.
After the massive cyberattack that hit many Ukrainian government sites, making them inaccessible and revealing rather intimidating messages on data disclosures, it is time for investigations. And Microsoft, via its threat intelligence center (MSTIC), delivered its first results this weekend. And the least we can say is that they are not very reassuring.
A cyberattack falsely disguised as ransomware
In a blog post, Microsoft says it identified disturbing intruder activity originating in Ukraine on January 13. The company said it then discovered a unique malicious feature, used in intrusion attacks against several victim organizations in the country.
First, the malware uses an executor which is usually employed by hackers for lateral movement and execution. First, the malware overwrites the Master Boot Record (MBR), which is the first addressable sector of a hard drive, known to hold the disk’s partition table and to help launch the operating system when booting up. the computer. This step, which allows the hard drive to be corrupted, is accompanied here by a ransom note, which includes a Bitcoin wallet and a Tox identifier which, on the other hand, have never been observed by Microsoft in the past.
But the pernicious side of it is that what appears to be ransomware is actually just a trick, as the malware actually comes to destroy the MBR and all targeted files. The malware has no ransom recovery mechanism in this case. Its sole purpose is then to destroy and render inoperative the targeted sites. “ The malware (…), designed to look like ransomware but lacking a ransom recovery mechanism, is intended to be destructive and is designed to render targeted devices inoperable, rather than obtaining a ransom Microsoft clearly explains.
A desire to bring down government systems, whose number of targeted sites would be greater than originally
Going a little further in its analysis, Microsoft, which makes no reference to Russia (which would be behind the attack even if there is no evidence to confirm it at this stage), says that it is “ aware of the current geopolitical events in Ukraine », and indicates not to have found a link between the observed attack and a group of known cybercriminals. So at present, the group and the country of origin of the computer attack remain unknown. But the scale of the cyberattack would be far greater than originally imagined.
“ Our investigation teams have identified the malware on dozens of affected systems and this number may increase as our investigation continues “, adds the American firm.
She discusses today’s affected systems that cover a wide range of government, not-for-profit organizations and organizations working in the ICT sector, all based in Ukraine. But the Microsoft research team confirms that the impact must be greater than initially thought.
Source: Microsoft
17