The recent cyber attack in Ukraine has heightened fears in Kiev that Moscow is planning to support a ground invasion with devastating hacks, although some experts remain puzzled by the Kremlin’s intentions.
Last week, hackers breached the websites of more than 70 Ukrainian government agencies, according to Viktor Zora, deputy head of the State Service for Special Communications and Information Protection.
Most worrisome, Zora said, is that the hackers have also installed destructive “scanners” designed to render computer systems inoperable with at least two government agencies.
For its part, Russia denied any involvement in the attack, which was in the process of preparing for at least several weeks, and perhaps more, according to experts. Zora said the first signs of a hack dated back to late 2021.
Data from Cisco Systems Inc shows that the software was present in some networks even before that. The company initially believed the intrusion to date back to November, but returned Thursday to say that new data analysis indicates the intrusion may have started in late summer, according to Matthew Olney, director of threat intelligence and interdiction at Cisco.
The US Cyber Security and Infrastructure Security Agency warned last Tuesday of the discovery of a “particularly worrisome” scanner program called “WhisperGate” by Microsoft because the previous spread of this type of software caused global unrest.
Some security researchers worry that the attacks may herald a larger operation, but so far, the hacks are minimal in damage, and Western officials believe Moscow is capable of harming Ukraine.
Dmitry Peskov, Putin’s press secretary, told CNN earlier this week that Russia had “nothing to do” with the hacking.
While Ukrainian officials have said they believe the incursions were carried out by the Kremlin or at least sponsored by Moscow, experts who track the intrusions say they have not yet disclosed any technical details of the attack to conclusively link it to Russia or its proxies.
The timing of the attacks came as Russia massed tens of thousands of troops on the Ukrainian border and demanded that NATO give a binding guarantee that the former Soviet republic would not be granted membership.
“Electronic warfare and cyber aggression are part of the general aggression against Ukraine by the Kremlin,” he falsely said, explaining that dozens of government computers were affected by the Whispergate malware, although it remains unclear how the hackers gained initial access to the targeted systems.
Weisberget was designed to look like a ransomware, but its real purpose was to destroy systems, say security experts who analyzed the program, warning that it renders systems inoperable whether or not the ransom is paid.
This makes Weissbergite similar to the devastating NotPetya worm that appeared in 2017 and started in Ukraine before spreading across Europe and the world, causing havoc that cost some companies hundreds of millions of dollars, but there are important differences between the two.
In general, Weisberget is a less complex program than NotePetya, notes Anton Cherepanov, a researcher at antivirus company ESET, who says NotePetya used encryption much better to hide from security researchers.
Unlike Weisberget, NotePetia is designed to spread like a computer worm that travels from one computer to another.
NotePetia has infected more than 12,500 computers in Ukraine, according to Microsoft. Zura said Weisberget affected only a few dozen systems within government.
“The missing piece in this attack is the scale,” said John Holtquist, director of intelligence analysis at Mandiant, a cyber-intelligence group. It is known that this US-based company has tracked down the most destructive hacking squad in Russia.
Hultquist noted that NotPetya and other major attacks linked to Russia typically targeted critical infrastructure, resulting in widespread impact, or relied on supply chain hacking or implementing a web-based strategy to infect dozens of victims.
He also said that recent activity in Ukraine so far appears to be lacking in either of these two components, although it is possible that these components exist but have not yet been activated.
For his part, Thomas Reed, professor of strategic studies at Johns Hopkins University, believes that the aim of the attack may have been to demoralize Ukraine rather than destroy computers. He said it seemed that “the goal here is to inject uncertainty, create a little panic” inside the country.
A spokeswoman for Kitsoft, a Kiev-based company that runs government websites, said about 30 of its customers were affected by the latest cyber attack, and the company’s infrastructure was also affected by the attack.
And the administration of US President Joe Biden last week issued warnings to critical infrastructure operators and some companies – especially those working with Ukrainian organizations – about the potential indirect consequences of the tensions between Moscow and Kiev.
He falsely returned recently to say that Ukraine was ready for more attacks, but admits, “I cannot say that we are ready because you cannot enter Putin’s mind and anticipate his actions.”