Microsoft said late Saturday that dozens of computer systems at an unspecified number of Ukrainian government agencies have been infected with destructive malware disguised as ransomware, a disclosure suggesting an attention-grabbing defacement attack on official websites was a diversion.
The extent of the damage was not immediately clear.
The attack comes as the threat of a Russian invasion of Ukraine looms and diplomatic talks to resolve the tense stand-off appear stalled.
Microsoft said in a short blog post that amounted to the clanging of an industry alarm that it first detected the malware on Thursday. That would coincide with the attack that simultaneously took some 70 government websites temporarily offline.
The disclosure followed a Reuters report earlier in the day quoting a top Ukrainian security official as saying the defacement was indeed cover for a malicious attack.
Separately, a top private sector cybersecurity executive in Kyiv told The Associated Press how the attack succeeded: The intruders penetrated the government networks through a shared software supplier in a so-called supply-chain attack in the fashion of the 2020 SolarWinds Russian cyberespionage campaign targeting the U.S. government.
Microsoft said in a different, technical post that the affected systems “span multiple government, non-profit, and information technology organizations.” It said it did not know how many more organizations in Ukraine or elsewhere might be affected but said it expected to learn of more infections.
“The malware is disguised as ransomware but, if activated by the attacker, would render the infected computer system inoperable,” Microsoft said. In short, it lacks a ransom recovery mechanism.
Microsoft said the malware “executes when an associated device is powered down,” a typical initial reaction to a ransomware attack.
Microsoft said it was not yet able to assess the intent of the destructive activity or associate the attack with any known threat actors. The Ukrainian security official, Serhiy Demedyuk, was quoted by Reuter s as saying the attackers used malware similar to that used by Russian intelligence. He is deputy secretary of the National Security and Defense Council.
AP