Microsoft discloses malware attack on Ukraine govt networks

BOSTON (AP) — Microsoft said late Saturday that dozens of computer systems at an unspecified number of Ukrainian government agencies have been infected with destructive malware disguised as ransomware, a disclosure suggesting an attention-grabbing defacement attack on official websites was a diversion. extent of damage was not immediately clear.

attack comes as threat of a Russian invasion of Ukraine looms and diplomatic talks to resolve tense stand-off appear stalled.

Microsoft said in a short blog post that amounted to clanging of an industry alarm that it first detected malware on Thursday. That would coincide with attack that simultaneously took some 70 government websites temporarily offline.

disclosure followed a Reuters report earlier in day quoting a top Ukrainian security official as saying defacement was indeed cover for a malicious attack.

Separately, a top private sector cybersecurity executive in Kyiv told Associated Press how attack succeeded: intruders penetrated government networks through a shared software supplier in a so-called supply-chain attack in fashion of 2000 SolarWinds Russian cyberespionage campaign targeting U.S. government.

Microsoft said in a different, technical post that affected systems “span multiple government, non-profit, and information technology organizations." It said it did not know how many more organizations in Ukraine or elsewhere might be affected but said it expected to learn of more infections.

“ malware is disguised as ransomware but, if activated by attacker, would render infected computer system inoperable,” Microsoft said. In short, it lacks a ransom recovery mechanism.

Microsoft said malware “executes when an associated device is powered down,” a typical initial reaction to a ransomware attack.

Microsoft said it was not yet able to assess intent of destructive activity or associate attack with any known threat actors. Ukrainian security official, Serhiy Demedyuk, was quoted by Reuter s as saying attackers used malware similar to that used by Russian intelligence. He is deputy secretary of National Security and Defense Council.

A preliminary investigation led Ukraine's Security Service, SBU, to blame web defacement on “hacker groups linked to Russia's intelligence services." Moscow has repeatedly denied involvement in cyberattacks against Ukraine.

Tensions with Russia have been running high in recent weeks after Moscow amassed an estimated 100,000 troops near Ukraine’s border. Experts say y expect any invasion would have a cyber component, which is integral to modern “hybrid” warfare.

Demedyuk told Reuters in written comments that defacement "was just a cover for more destructive actions that were taking place behind scenes and consequences of which we will feel in near future.” story did not elaborate and Demedyuk could not immediately be reached for comment.

Oleh Derevianko, a leing private sector expert and founder of ISSP cybersecurity firm, told AP he did not know how serious damage was. He said also unknown is what else attackers might have achieved after breaking into KitSoft, developer exploited to sow malware.

In 2017, Russia targeted Ukraine with one of most damaging cyberattacks on record with NotPetya virus, causing more than $10 billion in damage globally. That virus, also disguised as ransomware, was a so-called “wiper” that erased entire networks.

Ukraine has suffered unfortunate fate of being world's proving ground for cyberconflict. Russia state-backed hackers nearly thwarted its 2014 national elections and briefly crippling parts of its power grid during winters of 2015 and 2016.

In Friday's mass web defacement, a message left by attackers claimed y h destroyed data and placed it online, which Ukrainian authorities said h not happened.

message told Ukrainians to “be afraid and expect worst.”

Ukrainian cybersecurity professionals have been fortifying defenses of critical infrastructure since 2017, with more than $40 million in U.S. assistance. y are particularly concerned about Russian attacks on power grid, rail network and central bank.