Microsoft warns of cyberattack on Ukrainian computer networks
WASHINGTON — Microsoft warned late Saturday that it had detected a highly destructive form of malware in dozens of government and private computer networks in Ukraine that appeared to be waiting to be triggered by an unknown actor.
In a blog post, the company said that on Thursday — around the same time Ukrainian government agencies discovered their websites had been defaced — investigators monitoring Microsoft’s global networks detected the code. “These systems span multiple government, nonprofit, and information technology organizations, all based in Ukraine,” Microsoft said.
The code appears to have been rolled out around the time Russian diplomats, after three days of meetings with the United States and NATO over the buildup of Russian troops on the Ukrainian border, said the talks were essentially in deadlock.
Ukrainian officials blamed the defacing of their government websites on a group in Belarus, though they said they suspected Russian involvement. But early attribution of attacks is often wrong, and it was unclear whether the degradation was related to the much more destructive code that Microsoft said it detected.
Microsoft said it could not yet identify the group behind the intrusion, but it was not an attacker its investigators had seen before.
The code, as described by company investigators, is believed to resemble ransomware — it freezes all computer functions and data and demands payment in return. But there is no infrastructure to accept money, leading investigators to conclude that the goal is to inflict maximum damage, not raise funds.
It’s possible that the destructive software didn’t spread too widely and that Microsoft’s disclosure would make it more difficult for the attack to metastasize. But it’s also possible that the attackers are now launching the malware and trying to destroy as many computers and networks as possible.
Warnings like Microsoft’s can help stop an attack before it happens, if computer users seek to eliminate malware before it is activated. But it can also be risky. Exposure changes the calculus for the perpetrator, who, once discovered, may have nothing to lose by launching the attack, to see what destruction it wreaks.
Understanding the escalation of tensions over Ukraine
For Russian President Vladimir V. Putin, Ukraine has often been a testing ground for cyber weapons.
An attack on Ukraine’s Central Election Commission during a presidential election in 2014, in which Russia unsuccessfully sought to alter the result, proved to be a model for Russian intelligence agencies; the United States later discovered that it had infiltrated the Democratic National Committee’s servers in the United States. In 2015, the first of two major attacks on Ukraine’s power grid knocked out lights for hours in different parts of the country, including in the capital Kyiv.
And in 2017, businesses and government agencies in Ukraine were hit with destructive software called NotPetya, which exploited flaws in a type of tax preparation software widely used in the country. The attack paralyzed entire sectors of the economy and also affected FedEx and the shipping company Maersk; US intelligence officials later traced him to Russian actors. This software, at least in its overall design, bears some resemblance to what Microsoft warned on Saturday.
The new attack would erase hard drives and destroy files. Some defense experts have said such an attack could be the prelude to a ground invasion by Russia. Others believe it could replace an invasion, if attackers believed a cyberattack wouldn’t result in the kind of major sanctions President Biden pledged to impose in response.