WhisperGate Strikes Ukraine

This month, geopolitical tensions between Ukraine and Russia are at an all-time high, and the former was targeted by cyberattacks that defaced government websites and wiped data. On January 19, 2022, Bloomberg reported that, according to U.S. Secretary of State Antony Blinken, around 100,000 Russian troops amassed on the border between Ukraine and Russia. This buildup on the border has stoked fears of an invasion, and the cyberattacks have increased tensions in an already tense situation.

According to Katharina Krebs and Jake Kwon of CNN, Ukrainian government websites were defaced with threatening messages on January 14. The Cisco Talos Intelligence Group reported that almost 80 Ukrainian government websites were defaced. The threatening messages placed on the defaced websites told Ukrainians to “be afraid and wait for the worst” and warned them that their personal information had been stolen. However, the possibility of a data leak is unclear; on January 16, Lawrence Abrams of Bleeping Computer noted that the attackers published the supposedly stolen data on a hacking forum, but other threat actors say that the data is unrelated to the Ukrainian government.

On January 15, the Microsoft Threat Intelligence Center (MSTIC) reported the discovery of a destructive malware family, dubbed WhisperGate, that has been deployed against Ukrainian systems since January 13. WhisperGate is wiper malware masquerading as ransomware. When an infected Windows computer is shut down and turned back on, it displays a ransom note demanding $10,000 in Bitcoin. However, the ransom note is a ruse. Ransomware operates by encrypting the victim’s files and charging for the decryption key, but WhisperGate corrupts the files and makes the computer inoperable, so the ransoms themselves are a scam that will not restore data.

The two different cyberattacks appear to be part of a coordinated effort. On January 18, journalist Kim Zetter reported that WhisperGate wiped the data of dozens of systems at a few Ukrainian government agencies, and that they believe the data wipes and website defacement attacks were part of a multi-pronged operation. As reported by Zetter, deputy director Victor Zhora of Ukraine’s State Services for Special Communication and Information Protection (SSSCIP) noted that the website defacement attacks and data wipes happened at the same date and time at the same agencies. On January 21, the Cisco Talos Intelligence Group reported that the attackers used stolen credentials and “likely had access to the victim network for months before the attack,” a trait shared by Advanced Persistent Threat (APT) groups. APTs are coordinated and stealthily. They gain access to targeted systems, remain undetected for long periods of time, and are often supported by nation states. Given the fact that the attacks appear to have been coordinated and are geopolitical in nature, the attackers are likely part of a nation-state APT.

The MSTIC report contains a technical analysis of WhisperGate. Crowdstrike published their own technical analysis on January 19. According to these analyses, WhisperGate is comprised of three components—a malicious bootloader, a downloader, and a file wiper—and performs its activities in two stages. The first stage executes when an infected computer is powered down. At this stage, the malicious bootloader overwrites the Master Boot Record (MBR) with the program that makes the fake ransom note. The MBR is data in the first sector of a hard drive that tells the computer where to find the operating system (OS) so that it can be booted (started). Normally, bootloader programs are used to bring the OS into memory so that the computer can start. Because the malicious bootloader overwrites the MBR, the OS cannot be loaded, so the computer becomes inoperable. In the second stage, the downloader retrieves the file wiper from a Discord channel, and the file wiper corrupts files with any of the popular file extensions.

In response to the cyberattacks against Ukraine, the U.S. Cybersecurity & Infrastructure Security Agency (CISA) published CISA Insights: Implement Cybersecurity Measures Now to Protect Against Potential Critical Threats. These Insights contain steps for every organization in the U.S. to take to reduce the risk of serious damage from a cyberattack. Organizations in the U.S. that work with Ukrainian organizations should “take extra care to monitor, inspect, and isolate traffic from those [Ukrainian] organizations” and “closely review access controls for that traffic.” Implementing multi-factor authentication for remote and administrative access is also listed as a step in CISA’s Insights. Multi-factor authentication is critical for curbing intrusions, such as the ones that spread ransomware or other malware. Organizations of any size should review CISA’s recommendations to validate the security of their cyber infrastructure.

Evan Mulloy
Associate Software Developer at SD Solutions LLC

Evan Mulloy has been a passionate programmer since the age of 12. He enjoys coding in a wide variety of languages, as well as studying new concepts related to computer science and cybersecurity.

Tags
, , , , , , , , , , , , , , , , ,

Leave a Reply

Your email address will not be published.

Fill out this field
Fill out this field
Please enter a valid email address.
You need to agree with the terms to proceed