Whispergate Malware Targets Ukrainian Government Sites as Diplomatic Talks Falter

Can cyber-attacks shape battlefield events and be used as a coercive tactic in prelude to, or in support of, physical conflict?’

Approximately 70 Ukrainian Government websites have recently been brought down by a destructive malware masquerading as ransomware. The cyber-attack coincides with the breakdown of diplomatic talks between the NATO alliance and Russia over Russia’s deployment of over 100,000 troops on its border with Ukraine.

On January 15 2022, the Microsoft Threat Intelligence Center (MSTIC) detailed evidence of the destructive wiper malware impacting several government, non-profit, and information technology organisations based in Ukraine. The activity, tracked by the MSTIC as DEV-0586 and dubbed Whispergate (the MSTIC uses DEV-#### designations for unknown and emerging threats), has not been officially associated with any known Advanced Persistent Threats (ATPs). However, Kyiv believes a group associated with Belarusian intelligence, UNC1151, may be involved and working with Russia, a close ally of Belarus.

Supply Chains Again Exploited as an Attack Vector

As a supply chain attack, the activity appears to have originated with the breach of Ukrainian company Kitsoft, which “develops and implements digital technologies for state authorities and commercial organisations”. Sapien Cyber has found that the Kitsoft website is also offline at the time of writing (January 17, 2022). The MSTIC has asserted that the known impacted assets are unlikely to represent the full scale of the attack.

The malware is being described as a “Master Boot Records (MBR) Wiper” with unique capabilities, but similar to malware used by groups tied to Russian intelligence, according to Serhiy Demedyuk, the Ukrainian deputy secretary of the national security and defence council. Ukraine officials have also asserted that recent attacks defacing Ukrainian government websites and attributed to UNC1151 were likely a diversionary tactic designed to draw attention away from the much more destructive DEV-0586 (or Whispergate) activity.

Ransom as a Ruse

According to the Microsoft Threat Intelligence Center, the malware utilises two stages, initially overwriting the Master Boot Record (MBR) with a ransom note before downloading file corruptor malware from a Discord channel and overwriting files with common extensions. The initial malware “resides in various working directories, including C:\PerfLogs, C:\ProgramData, C:\, and C:\temp, and is often named stage1.exe”, while stage2.exe is the downloader for the malicious file corrupter malware. Typically, a ransomware-infected machine is immediately shut down to prevent further file encryption; however, in this instance, this appears to be the course of action that the threat actors are anticipating and is the trigger to activate the malware in full.

The MBR is a section of a computer’s hard drive providing instructions that enables the loading of an operating system. Corruption of the MBR is commonly known as “bricking”, resulting in the affected machine being unable to power on or function normally. In the case of the DEV-0586 (or Whispergate) malware, the ransom note appears to be a ruse, as the MBR is overwritten rather than files being encrypted, as is seen in traditional ransomware.

Coercive Tactic or Disruptive Attack as a Prelude to Physical Conflict?

In a 2017 research paper titled Invisible Digital Front: Can Cyber Attacks Shape Battlefield Events?, the authors discussed the impact of the December 2015 cyber-attack on the Ukrainian power grid, attributed to a Russian hacking group known as “Sandworm”, on physical conflict. Although the authors argued that cyber-attacks fail “to compel discernible changes in battlefield behaviour”, it appears that cyber-attacks on critical infrastructure and essential services are increasingly being employed by some nation-states as a coercive tactic in prelude to, or in support of, physical conflict.