Russia unleashed data-wiper malware on Ukraine, say cyber experts

UK government and banks on alert for new form of electronic attack said to have affected hundreds of machines

Cyber experts have identified a new strain of computer-disabling malware unleashed on Ukrainian targets as part of Russia’s offensive, as the UK government and banks said they were on alert for online attacks.

Russia was widely expected to launch a cyber assault alongside its military campaign, and the run-up to the invasion of Ukraine was marked by the deployment of “wiper” malware . A distributed denial-of-service (DDoS) attack, which paralyses websites by bombarding them with spurious information requests, also hit Ukrainian government sites.

On Thursday, requests for volunteers from Ukraine’s hacker underground began to appear on forums in a bid to help protect critical infrastructure and conduct cyber spying missions against Russian troops, Reuters reported, citing two sources.

“Ukrainian cybercommunity! It’s time to get involved in the cyber defense of our country,” one post read. Yegor Aushev, co-founder of a cybersecurity company in Kyiv, told Reuters he wrote the post at the request of a senior defence ministry official who contacted him on Thursday. Aushev’s firm Cyber Unit Technologies is known for working with Ukraine’s government on the defence of critical infrastructure.

On Wednesday, ESET Research Labs, a Slovakia-based cybersecurity company, said it had detected a new piece of data-wiping malware on hundreds of machines in Ukraine.

ESET said large organisations had been affected, while security experts at Symantec’s threat intelligence team said the malware had affected Ukrainian government contractors in Latvia and Lithuania and a financial institution in Ukraine. ESET has called the malware, which renders computers inoperable by disabling rebooting, HermeticWiper.

The NotPetya attack of 2017, which devastated Ukrainian businesses, was a wiper attack that encrypted computers irretrievably and spilled over into other countries, causing $10bn (£7.5bn) of damage worldwide.

Alexi Drew, a senior analyst at RAND Europe, a research institute, said cyber offensives carried the risk of escalating rapidly if attacks spill over widely into other countries, although in the case of HermeticWiper the malware does not appear to be self-propogating, whereas NotPetya was able to spread. Further attacks, however, could be different, she added. “There’s a history of cyber-attacks not staying where they’re meant to go. If you look at NotPetya, the splash damage there was significant. There is a danger here of escalation because offensive cyber activity is fundamentally not very good at staying where you put it.”

Priti Patel said officials were on alert for cyber-attacks and disinformation campaigns from Moscow. “As we monitor developments, we will be especially mindful of the potential for cyber-attacks and disinformation emanating from Russia,” the home secretary said.

The chief executive of Lloyds Bank, Charlie Nunn, said on Thursday the lender was on “heightened alert … internally around our cyber risk controls, and we’ve been focused on this for quite a while”. Preparation for potential cyber-attacks was discussed in a meeting between the government and banking industry leaders on Wednesday, Nunn added.

According to Symantec, the wiper attack that hit Ukraine this week had been planned for some time. One Ukrainian organisation suffered an initial hack in December last year that was related to the recent attack.

DDoS attacks were also deployed ahead of the military offensive in order to spread confusion, according to the US cybersecurity firm Mandiant. In a DDoS attack, websites are deluged with vexatious requests for information and become unreachable. The targets on Wednesday included the Ukrainian defence ministry and PrivatBank, Ukraine’s largest commercial bank.

“It’s not so much the technical disruption, it’s what it does to undermine confidence, like in the financial sector. It gets people quite nervous. It’s more that kind of secondary impact,” said Jamie Collier, a Mandiant consultant, who described a DDoS as akin to stuffing a thousand envelopes through a letterbox every second.

However, Dr Lennart Maschmeyer at the Center for Security Studies at the Swiss university ETH Zurich, said Russia’s cyber strategy so far seemed more improvised. “A plausible scenario for more devastating cyber-attacks was that Russia had planned this invasion for a long time, and prepositioned implants across Ukraine’s critical infrastructure in order to cause mass disruptions coinciding with the military invasion. That does not seem to be the case. The cyber operations we have seen do not show long preparation, and instead look rather haphazard,” he said.

The headline and text of this article were amended on 24 February and 3 March 2022 to make clear that this was a malware incident affecting machines, not a virus.


Dan Milmo Global technology editor

The GuardianTramp

Related Content

Article image
'Regin' malware comes from western intelligence agency, say experts
‘Usual suspects’ Russia and China thought to be in the clear as attention focuses on US, UK and Israeli agencies

Tom Fox-Brewster

24, Nov, 2014 @3:27 PM

Article image
How the tech community has rallied to Ukraine’s cyber-defence | Joyce Hakmeh and Esther Naylor
The variety of online actors working for the cause is unprecedented, say Joyce Hakmeh and Esther Naylor of Chatham House’s International Security Programme

Joyce Hakmeh and Esther Naylor

07, Mar, 2022 @1:52 PM

Article image
Simplocker Android malware locks up mobile data and demands a ransom
New strain of criminal software asks for payment to unlock files on SD cards, but is so far confined to Ukrainian region. By Tom Brewster

Tom Brewster

05, Jun, 2014 @9:21 AM

Article image
Evidence implicates government-backed hackers in Tor malware attacks
OnionDuke malware linked to MiniDuke hacker tools, which are thought to have been used to target Nato and European governments. By Tom Fox-Brewster

Tom Fox-Brewster

14, Nov, 2014 @1:30 PM

Article image
Bad Rabbit: Game of Thrones-referencing ransomware hits Europe
NotPetya-style malware infects Kiev’s metro system, Odessa airport and Russian media, demanding bitcoin for decryption key

Alex Hern

25, Oct, 2017 @10:06 AM

Article image
Cyberwarfare takes Heidegger's ideas to their logical end
Cyberwarfare offers governments the prospect of waging casualty-free wars, writes John Naughton

John Naughton

31, Mar, 2012 @11:04 PM

Article image
NHS cyber-attack causing disruption one week after breach
Hospitals slowly returning to normal after ransomware attack led to cancelled operations and diverted ambulances

Jamie Grierson and Samuel Gibbs

19, May, 2017 @3:12 PM

Article image
Ukraine accuses Russia of cyber-attack on two banks and its defence ministry
Kremlin denies it was behind the attack, which Ukraine’s deputy prime minister said was the largest of its type ever seen

Dan Sabbagh Defence and security correspondent

16, Feb, 2022 @7:12 PM

Article image
Shylock malware exits stage left, pursued by UK cyber police
National Crime Agency leads campaign to knock out Shakespearian malware that infected at least 30,000 PCs. By Tom Brewster

Tom Brewster

10, Jul, 2014 @1:50 PM

Article image
UK firms warned of Russian cyberwar ‘spillover’ from Ukraine
Meetings held on threat posed, particularly to critical infrastructure, and how it could be tackled

Dan Sabbagh Defence and security edior

23, Feb, 2022 @3:20 PM