Cyber operations against government systems in Ukraine (January 2022)
|Date||10 January 2022: Wiper malware (‘Whispergate’) has been compiled and dropped on victim systems.|
13 January 2022: Whispergate first appeared on the victim systems.
14 January 2022: Defacement.
|Suspected actor||Defacement: Serhiy Demedyuk, deputy secretary of Ukraine’s National Security and Defense Council, stated that Ukraine believes ‘preliminarily’ that a hacker group linked to Belarus, known as ‘UNC1151’, may have been involved in the cyber operations. As of 28 February 2022, Belarus has not publicly responded to these accusations.
Whispergate: Ukraine’s Ministry of Digital Transformation stated that all the evidence points to the fact that Russia is behind the recent attacks on Ukraine’s government websites. Russia has denied any involvement in the incident.
|Target||Defacement: Approximately 70 Ukrainian governmental websites of both central and regional authorities, including the Ministry of Foreign Affairs, the Ministry of Education, etc.
Whispergate: Malware was found on dozens of Ukrainian governmental systems and on systems of organizations that work closely with the Ukrainian government, such as for example an IT-firm that manages websites of government agencies.
|Target systems||Defacement: Government websites using the ‘OctoberCMS’ content-management program and/or managed by the company ‘Kitsoft’.
Whispergate: Government agencies, non-profit organizations and enterprises located or with systems in Ukraine.
|Method||Defacement: Most of the affected web sites were using the same content-management program — OctoberCMS — which led investigators to believe the hackers had compromised the websites using a known vulnerability in the OctoberCMS software. But about 50 of the 70 affected sites were also developed and managed by a Ukrainian company called ‘Kitsoft’. Investigators eventually determined that Kitsoft had been compromised, which allowed the hackers to gain access to Kitsoft’s administrator panel and use the company’s credentials to deface customer web sites.
Whispergate: The software, designated DEV-0586, was designed to look like ransomware, but lacked a recovery feature. Microsoft Threat Intelligence Center (MSTIC) reported that the malware was programmed to execute when the targeted device was powered down. The malware would overwrite the master boot record (MBR) with a generic ransom note. Next, the malware downloads a second .exe file, which would overwrite all files with certain extensions from a predetermined list, deleting all data contained in the targeted files.
|Purpose||Defacement: the general purpose of defacement is not to access or to steal data, but to leave a message. The Ukrainian authorities considered it a cover for more destructive actions behind the scenes, such as the destructive wiper malware ‘Whispergate’ that was detected a few days later.
Whispergate: The ransomware payload differs from a standard ransomware attack in several ways, indicating a solely destructive intent.
|Result||Defacement: The hackers replaced the websites with a text in Ukrainian, erroneous Polish, and Russian, which stated “be afraid and wait for the worst” and alleged that personal information has been leaked to the internet. However, most websites were restored within a few hours.
Whispergate: The malware wiped seven workstations at one government agency in Ukraine and a combination of workstations and servers at another agency.
|Aftermath||Given the scale of the observed intrusions, MSTIC considered ‘Whispergate’ a risk to any government agency, non-profit or enterprise located or with systems in Ukraine. MSTIC consequently encouraged all organizations to immediately conduct a thorough investigation and to implement defenses using the information provided in its blogpost.
In light of these occurrences, the US Department of Homeland Security has warned for potential cyber attacks against the US. Similarly, the European Central bank has reminded banks to keep up their cyber defences.
NATO Secretary-General Jens Stoltenberg said that his cyber experts in Brussels were exchanging information with their Ukrainian counterparts on the malicious cyber activities and would sign an agreement on enhanced cyber cooperation.
|Analysed in||Scenario 12: Cyber operations against computer data|
Collected by: Maxime Nijs
- Silas Cutler, ‘Whispers in the noise : A technical overview and the historic context of WhisperGate’, Stairwell Threat Research Blog, 18 January 2022.
- Microsoft Threat Intelligence Center (MSTIC), ‘Destructive malware targeting Ukrainian organizations’, 15 January 2022.
- Pavel Polityuk, ‘Ukraine suspects group linked to Belarus intelligence over cyberattack’, Reuters, 16 January 2022.
- Cynthia Brumfield, ‘Russia-linked cyberattacks on Ukraine : A timeline’, CSO United States, 19 January 2022.
- ‘Ukraine says evidence points to Russia being behind cyber-attack’, The Guardian, 16 January 2022.
- Katharina Krebs and Jake Kwon, ‘Cyberattack hits Ukraine government websites’, CNN, 15 January 2022.
- For a detailed technical analysis: ‘Analysis of Destructive Malware (WhisperGate) targeting Ukraine’, Medium, 18 January 2022.
- ‘Ukraine cyber-attack: Russia to blame for hack, says Kyiv’, BBC, 14 January 2022.
- Kim Zetter, ‘Hackers were in Ukraine systems months before deploying wiper’, Substack, 21 January 2021.
- Sean Lyngaas, ‘DHS warns of potential Russia cyberattacks amid tensions’, CNN, 24 January 2022.
- Nicholas Comfort, ‘Banks told to be vigilant on cyber risk as Russia tensions Rise’, Bloomberg, 7 February 2022.
- Statement by the NATO Secretary General on cyber-attacks against Ukraine, 14 January 2022.