Ukraine: Wiper malware masquerading as ransomware hits government organizations

In the wake of last week’s attention-grabbing defacements of many Ukrainian government websites, Microsoft researchers have revealed evidence of a malware operation targeting multiple organizations in Ukraine, deploying what seems to be ransomware but is actually Master Boot Records (MBR) wiper malware.

The defacements

“On the night of January 13-14, a number of government websites, including the Ministry of Foreign Affairs, the Ministry of Education and Science and others, were hacked. Provocative messages were posted on the main page of these sites. The content of the sites was not changed and the leakage of personal data, according to preliminary information, did not occur,” the Computer Emergency Response Team of Ukraine (CERT-UA) said.

The team noted that it’s possible that the attackers exploited CVE-2021-32648, a vulnerability in the October CMS, to reset the admin account password and gain access to it, allowing them to post the taunting messages.

The malware operation

Late on Saturday, Microsoft shared information and IOCs related to a malware campaing targeting Ukrainian organizations.

According to their research, the malware first appeared on victim systems on January 13.

“The organizations affected by this malware include government agencies that provide critical executive branch or emergency response functions and an IT firm that manages websites for public and private sector clients, including government agencies whose websites were recently defaced,” the researchers noted.

“We do not know the current stage of this attacker’s operational cycle or how many other victim organizations may exist in Ukraine or other geographic locations. However, it is unlikely these impacted systems represent the full scope of impact as other organizations are reporting.”

The malware – dubbed WhisperGate – first overwrites the MBR on victim systems and displays a ransom note, and then executes when the target device is powered down.

“The malware resides in various working directories, including C:\PerfLogs, C:\ProgramData, C:\, and C:\temp, and is often named stage1.exe. In the observed intrusions, the malware executes via Impacket, a publicly available capability often used by threat actors for lateral movement and execution,” they shared.

“Stage2.exe is a downloader for a malicious file corrupter malware. Upon execution, stage2.exe downloads the next-stage malware hosted on a Discord channel, with the download link hardcoded in the downloader.”

The “corrupter” locates files with a wide variety of file extensions and overwrites the contents of the file with a fixed number of 0xCC bytes.

Based on the capabilities and activity of the malware, as well as the content of the ransomware note, the researchers believe that the attackers are not part of a cybercriminal ransomware gang.

Microsoft has notified customers that have been targeted / compromised and are advising government agencies, non-profits and enterprises located or with systems in Ukraine to use the provided IOCs to investigate whether their systems and networks have been compromised.

They have also urged them to review all authentication activity for remote access infrastructure, to enable MFA for all remote connectivity, and to enable controlled folder Access (CFA) in Microsoft Defender for Endpoint (if they use it) to prevent MBR/VBR modification.

Attack attribution

While Microsoft did not make a definite connection between this activity and a previously known threat actor, the malware campaign is evocative of the 2017 NotPetya attacks against businesses and government entities in the Ukraine and around the world, which has been attributed by several Western governments to the Russian military, i.e., the Sandworm Team – hacking group that is believed to be a part of Unit 74455 of the Russian Main Intelligence Directorate (GRU).

Add to this the current geopolitic situation in and around Ukraine, and it seems logical to suspect that Russian threat actors – whether sponsored by the Russian Federation or not – are the source of the attacks. Still, there is no concrete evidence so far either way, so that remains a speculation.

UPDATE (January 24, 2022, 8:35 a.m. ET):

Cisco Talos researchers have published additional technical information about the wiper malware and how it’s used.

In short, they found that “The multi-stage infection chain downloads a payload that wipes the MBR, then downloads a malicious DLL file hosted on a Discord server, which drops and executes another wiper payload that destroys files on the infected machines. The fourth-stage wiper payload is probably a contingency plan if the first-stage wiper fails to clear the endpoint.”