Ukraine attributes cyberattacks to Russia, and Microsoft's analysis of the incidents suggests the attackers may have used a wiper.

Ukraine attributes cyberattacks to Russia, and Microsoft's analysis of the incidents suggests the attackers may have used a wiper.

Ukraine has now attributed last week's cyberattacks to Russian operators, and Kyiv has found some support for its conclusion among other governments. Microsoft on Saturday released a report on the malware used in the attacks: it was a wiper that represented itself as ransomware. NATO considers its options for defense, deterrence, and response.

Kyiv has accused Russian services of carrying out last week's cyberattacks (with some possible assistance from Belarus). "Moscow continues to wage a hybrid war and is actively building forces in the information and cyberspace," Ukraine's Ministry of Digital Transformation said this weekend. Kyiv's view is that the operation is a continuation of a hybrid war Russian has waged against Ukraine since its 2014 invasion of Crimea. Ukraine's State Service for Special Communications described the attacks as hitting seventy government "sites or resources," ten of which were "subjected to unauthorized interference." But the service claimed that no personal data were leaked, and that most affected sites were quickly restored to normal. The State Service added some details about how the attackers obtained access to the sites: it was a supply chain attack. "The attackers hacked the infrastructure of a commercial company that had administrative access to the web resources affected by the attack." Which commercial vendor was hit remained unspecified. (It's worth noting that a supply chain attack through M.E.Doc tax preparation software was used in 2017's NotPetya attack, which has been generally attributed to Russian intelligence services.)

The cyber operations, coming as they do as Russian troops are reported to have marshaled in assembly areas near the Ukrainian border, have been received by NATO as battlespace preparation. The US has said that the cyberattacks have the hallmarks of a disinformation operation intended to afford Russia a pretext for military action. Foreign Policy quotes an anonymous US official at length on how this might be accomplished. “Russia is laying the groundwork to have the option of fabricating a pretext for invasion, including through sabotage activities and information operations, by accusing Ukraine of preparing an imminent attack against Russian forces in eastern Ukraine," the source said. An attack against deniable, Russian-proxy forces that have been operating in the Donbass region of Eastern Ukraine since 2014 is thought most likely. The anonymous official added, “The Russian military plans to begin these activities several weeks before a military invasion, which could begin between mid-January and mid-February. We saw this playbook in 2014 with Crimea.”

Ukraine's ministry of digital transformation agrees that the cyberattacks represented, at one level, disinformation in the service of influence operations. "Its goal is not just to intimidate society, but to destabilize the situation in Ukraine by stopping the public sector's work and undermining Ukrainians' confidence in their government."

Ukraine attributes cyberattacks to Russia, and Microsoft's analysis of the incidents suggests the attackers may have used a wiper.

The cyberattacks may also have been intended to provide cover for other, more destructive operations. Microsoft said on Saturday that it hadn't been able to draw connections between Friday's cyberattacks against Ukraine and any of the threat actors it tracks. It is, however, confident that the attack involved the use of a wiper, that is, malware whose intent was the destruction of data, not their temporary denial (as in a conventional ransomware attack) or their theft. The operation is being called "WhisperGate." and Microsoft has given the threat actor behind it the temporary tracking identifier DEV-0586. The attack is, Microsoft says, a two stage operation. Stage one overwrites the Master Boot Record "to display a faked ransom note." Stage two of the attack installs a file-corrupter malware. That malware is still undergoing analysis. Microsoft has provided a set of indicators of compromise (IOCs) organizations can use to assess their risk.

Ukrinfor reports that NATO, having condemned last week's cyberattacks, is working closer cooperation on cyber defense with Ukraine. According to Reuters, the US has offered Ukraine "whatever it needs" to recover from those attacks, and Interfax-Ukraine says that Franco-American talks have addressed common preparations to render such aid to Kyiv.

Russia denies any involvement in the cyberattacks, and disclaims any intention to invade Ukraine. Kremlin spokesman Dmitry Peskov, said, in a CNN interview, “We have nothing to do with it. Russia has nothing to do with these cyber-attacks. Ukrainians are blaming everything on Russia, even their bad weather in their country,”

That said, Russian President Vladimir Putin has given the US (and by implication NATO) a soft deadline for meeting Russia's demands--it's set to expire, roughly, on January 20th. He's outlined three demands, Russia Matters reports:

The CyberWire's continuing coverage of the crisis in Ukraine may be found here, with our most recent story at this link.