WASHINGTON — Microsoft warned Saturday evening that it had detected a highly destructive form of malware in dozens of government and private computer networks in Ukraine that appeared to be waiting to be triggered by an unknown actor.
In a blog post, the company said that Thursday — around the same time government agencies in Ukraine found that their websites had been defaced — investigators who watch over Microsoft’s global networks detected the code. “These systems span multiple government, nonprofit and information technology organizations, all based in Ukraine,” Microsoft said.
On Sunday, President Joe Biden’s national security adviser, Jake Sullivan, said the government was examining the code that Microsoft first reported. “We’ve been warning for weeks and months, both publicly and privately, that cyberattacks could be part of a broad-based Russian effort to escalate in Ukraine,” Sullivan said on CBS’ “Face the Nation,” noting Russia’s long history of using cyberweapons against Ukraine’s power grid, government ministries and commercial firms.
But he cautioned that “we have not specifically attributed this attack yet” and that Microsoft and other firms had not, either. “But we’re working hard on attribution,” he said, adding that “it would not surprise me one bit if it ends up being attributed to Russia.”
The code appears to have been deployed around the time that Russian diplomats, after three days of meetings with the United States and NATO over the massing of Russian troops at the Ukrainian border, declared that the talks had essentially hit a dead end.
Ukrainian officials initially blamed a group in Belarus for the defacement of their government websites, though they said they suspected Russian involvement. The Ministry of Digital Development said in a statement Sunday that a number of government agencies had been struck by destructive malware, presumably the same code that Microsoft reported.
“All evidence indicates that Russia is behind the cyberattack,” the statement said. “Moscow continues to wage a hybrid war and is actively building up its forces in the information and cyberspaces.”
But the ministry provided no evidence, and early attribution of attacks is frequently wrong or incomplete.
Microsoft said that it could not yet identify the group behind the intrusion but that it did not appear to be an attacker that its investigators had seen before.
The code, as described by the company’s investigators, is meant to look like ransomware — it freezes up all computer functions and data, and demands a payment in return. But there is no infrastructure to accept money, leading investigators to conclude that the goal is to inflict maximum damage, not raise cash.
It is possible that the destructive software has not spread too widely and that Microsoft’s disclosure will make it harder for the attack to metastasize. But it is also possible that the attackers will now launch the malware and try to destroy as many computers and networks as possible.
“We made it public in order to give the government, organizations and entities in Ukraine the chance to find the malware and remediate,” said Tom Burt, Microsoft’s vice president for customer security and trust, who directs the company’s efforts to detect and head off attacks. In this case, he said, investigators from the company’s cybercrimes unit saw unusual action in the networks it usually polices.
Warnings like the one from Microsoft can help abort an attack before it happens, if computer users look to root out the malware before it is activated. But it can also be risky. Exposure changes the calculus for the perpetrator, who, once discovered, may have nothing to lose in launching the attack, to see what destruction it wreaks.
So far there is no evidence that the destructive malware has been unleashed by the hackers who placed it in the Ukrainian systems. But Sullivan, pressed on whether the United States would begin to invoke financial and technological sanctions if Russia’s attacks were limited to cyberspace, rather than a physical invasion, said it was important first to get a definitive finding on the source of the attack.
“If it turns out that Russia is pummeling Ukraine with cyberattacks,” he said, “and if that continues over the period ahead, we will work with our allies on the appropriate response.”
Sullivan said that the United States had been working with Ukraine to harden its systems and U.S. networks if the string of ransomware and other attacks from Russia accelerates in the United States.
For President Vladimir Putin of Russia, Ukraine has often been a testing range for cyberweapons.
An attack on Ukraine’s Central Election Commission during a presidential election in 2014, in which Russia sought unsuccessfully to change the result, proved to be a model for the Russian intelligence agencies; the United States later found that they had infiltrated the servers of the Democratic National Committee in the United States. In 2015, the first of two major attacks on Ukraine’s electric grid shut off the lights for hours in different parts of the country, including in Kyiv, the capital.
And in 2017, businesses and government agencies in Ukraine were hit with destructive software called NotPetya, which exploited holes in a type of tax preparation software that was widely used in the country. The attack shut down swaths of the economy and hit FedEx and shipping company Maersk as well; U.S. intelligence officials later traced it to Russian actors. That software, at least in its overall design, bears some resemblance to what Microsoft warned of Saturday.
The new attack would wipe hard drives clean and destroy files. Some defense experts have said such an attack could be a prelude to a ground invasion by Russia. Others think it could substitute for an invasion, if the attackers believed a cyberstrike would not prompt the kind of financial and technological sanctions that Biden has vowed to impose in response.
John Hultquist, a leading cyberintelligence analyst at Mandiant, said Sunday that his firm had been telling its clients “to prepare for destructive attacks, including attacks that are designed to resemble ransomware.”
He noted that the Russian hacking unit known as Sandworm, which has since been closely linked to the Russian military intelligence agency, the GRU, had spent recent years developing “more sophisticated means of critical infrastructure attack,” including in Ukraine’s power grid.
“They also perfected the fake ransomware attack,” Hultquist said, referring to attacks that are meant, at first, to look like a criminal extortion effort but are actually intended to destroy data or cripple an electric utility, a water or gas supply system, or a government ministry. “They were doing this before NotPetya, and they tried many times after.”