Hackers who unleashed malicious software on computers in Ukraine, Latvia and Lithuania had been inside the targeted systems for months, cybersecurity experts said, suggesting careful preparation for potentially damaging attacks across borders.
The deployment of the so-called wiper malware, which can delete data on a targeted machine, came Wednesday, hours before the Kremlin launched airstrikes and a land offensive across swaths of Ukraine. President Joe Biden said the attacks amounted to “a premeditated war that will bring a catastrophic loss of life and human suffering.”
While the people behind the cyberattacks are unknown, Western officials have for months warned that a hybrid war on Ukraine might have digital fallout that could aid a Russian land invasion and ripple outward to disrupt businesses and governments around the world.
The wiper malware—this version is being called HermeticWiper by researchers—could mark an escalation in cyberattacks against various Ukrainian targets, security experts said. Websites of government agencies and banks were disrupted on Wednesday, and on Thursday, that of the Kyiv Post, an English-language newspaper.
Researchers at Symantec, a division of Broadcom Inc., on Wednesday identified three organizations targeted by the wiper strain: a Ukrainian financial-services firm and two Ukrainian government vendors.
At each of the three, multiple machines were affected, said Vikram Thakur, technical director at Symantec Threat Intelligence. The targeted machines spanned Ukraine and the nearby Baltic states of Latvia and Lithuania, he added.
One government contractor located in Lithuania had been compromised since at least Nov. 12, according to Symantec, while hackers also penetrated a Ukrainian organization on Dec. 23. In several incidents observed by Symantec, the attackers used the wiper malware alongside ransomware, which generally is used to lock up data, not destroy it.
“It appears likely that the ransomware was used as a decoy or distraction from the wiper attacks,” Symantec said in a blog post.
On Wednesday, Slovakia-based cyber firm ESET said it also detected the wiper strain on hundreds of machines in Ukraine, adding that timestamps indicated the malware had been created nearly two months ago in preparation for deployment.
Jean-Ian Boutin, head of ESET Threat Research, said the targets included “large organizations,” but declined to comment further.
“We cannot give attribution based on information that is available to us, but the attack appears to be related to the ongoing crisis in Ukraine,” he said.
The discoveries Wednesday follow a surge in cyberattacks against various Ukrainian targets in recent weeks. Some of Ukraine’s government and banking websites were offline or struggling to load for users Wednesday in what a senior Ukrainian official said was a new volley of malicious cyber activity targeting the nation.
On Thursday, the Kyiv Post said on Twitter its main site had faced disruptions “from the moment Russia launched its military offensive against Ukraine.”
Ukraine’s State Service of Special Communications and Information Protection didn’t respond to requests for comment.
Cybersecurity experts say such incidents, coupled with disinformation campaigns, may be intended to create confusion among Ukrainians and sow distrust in their government as part of a broader invasion. On Thursday, Russian airstrikes hit dozens of cities, including Kyiv, while armored columns pushed into Ukrainian territory on multiple fronts.
Ukraine has faced a barrage of cyberattacks this year, according to the government’s Computer Emergency Response Team, incursions that came as the Kremlin massed some 190,000 troops on the country’s borders. CERT members responded to 436 such incidents through Feb. 17, some of them deemed critical, up from 64 over the same period in 2021.
In January, hackers defaced dozens of government websites and implanted a wiper malware known as WhisperGate in at least two state agencies’ computer systems. Last week, attackers turned a firehose of traffic toward websites of the Ukrainian military and state-owned banks, temporarily disabling them.
Anne Neuberger, the White House’s deputy national security adviser for cyber and emerging technologies, attributed the distributed denial-of-service attack last week to Russian military intelligence.
The incident could be “laying the groundwork for more disruptive cyberattacks accompanying a potential further invasion of Ukraine’s sovereign territory,” Ms. Neuberger said last week. A spokeswoman for the National Security Council didn’t respond to a request for comment.
Russia has routinely denied launching cyberattacks against Ukraine or any other country. Still, the Biden administration has promised to provide cyber support across the region, while the European Union this week activated a rapid-response team to help contain any incidents.
In 2017 the NotPetya incident in Ukraine, attributed by Western governments to Russian-linked hackers, created both short- and long-term difficulties for global firms, from disruptions to their daily operations to disputes with insurers over whether the hacks were covered by their policies.
“There’s no saying where a nation’s projection of force doesn’t stray—from the Ukraine to other areas—when it comes to the cyber domain,” said Kevin Mandia, chief executive of U.S. cybersecurity firm Mandiant Inc., said in an interview earlier this week.
The U.S. Cybersecurity and Infrastructure Security Agency has made repeated warnings in recent weeks, urging businesses to empower chief information security officers in senior leadership discussions, lower thresholds for reporting suspicious activity and practice incident-response plans.
On Thursday morning, CISA Director Jen Easterly tweeted a Wired magazine article on the 2017 NotPetya hack, which emanated from a Ukrainian accounting firm and caused billions in lost sales and other damage to businesses including FedEx Corp. and Merck & Co. Inc.
“While there are no specific threats to the U.S. at this time, all orgs must be prepared for cyberattacks, whether targeted or not,” Ms. Easterly wrote.
The alerts have pushed some U.S. businesses—even those with no presence in Ukraine—to more closely vet their technology vendors. Security teams should also back up key data and aggressively monitor their networks for unusual activity, said Rinki Sethi, the former chief information security officer for Twitter Inc.
Referring to the Biden administration’s recent advice, she said, “Companies are taking it as a serious warning.”
Write to David Uberti at [email protected] and Dustin Volz at [email protected]
Copyright ©2022 Dow Jones & Company, Inc. All Rights Reserved. 87990cbe856818d5eddac44c7b1cdeb8
