Microsoft detected cyber-attacks launched against Ukraine just hours before Russia’s tanks & missiles began to rain down.
“As tanks rolled into Ukraine, so did malware,” summarised humanitarian author Andreas Harsono, referring to the novel malware that Microsoft has named Fox Blade.
Digital Infrastructure
The company reported that its Threat Intelligence Centre (MSTIC) had detected cyber-attacks launched against Ukraine’s digital infrastructure hours before Russia’s tanks & missiles began to pummel the country on Thurs.
“Several hours before the launch of missiles or movement of tanks on Feb. 24, Microsoft’s Threat Intelligence Centre (MSTIC) detected a new round of offensive & destructive cyber-attacks directed against Ukraine’s digital infrastructure,” Microsoft President & Vice-Chair Brad Smith said.
Technical Advice
“We immediately advised the Ukrainian Govt. about the situation, including our identification of the use of a new malware package (which we de-nominated Fox Blade), & provided technical advice on steps to prevent the malware’s success.”
Smith stated that within 3 hours of discovering Fox Blade, Microsoft had added new signatures to its Defender anti-malware service to detect the exploit.
Specifics
Microsoft has issued a Security Intelligence advisory about Fox Blade, which is a novel trojan.
While the company shared neither technical specifics nor details about how Fox Blade achieves initial access on targeted machines, the advisory did explain that “This trojan can use your PC for distributed denial-of-service (DDoS) attacks without your knowledge.”
Such attacks topped 1,000s daily in Q3 and were expected to keep growing, Kaspersky researchers reported in Nov. 2021.
Beyond launching DDoS attacks, Fox Blade also downloads & installs other programs – including other malware – onto infected systems, Microsoft advised.
‘Precisely Targeted’
The cyber-attacks – which were ongoing, Smith explained were “precisely targeted,” unlike the indiscriminate malware splattered in the NotPetya attack. The ‘Not Petya’ cyber-attack targeted 100s of firms & hospitals worldwide in 2017, including Ukraine’s power grid.
In 2020, the US Department of Justice (DOJ) charged 6 Russian nationals for their alleged part in the Ukraine and other cyber-attacks.
Regardless of the targeted nature of the current cyber-attacks on Ukraine, Smith outlined Microsoft is still “especially concerned” about recent cyber-attacks aimed at Ukrainian civilian digital targets that have been more wide-ranging, including those fired at the financial sector, agriculture sector, emergency response services, humanitarian aid efforts, & energy sector organisations & enterprises.
Geneva Convention
“These attacks on civilian targets raise serious concerns under the Geneva Convention, & we have shared information with the Ukrainian Govt. about each of them,” Smith observed.
Microsoft has also advised the Ukrainian Govt. about recent cyber efforts to steal a range of personally identifiable information (PII), including PII related to health, insurance, transportation & other govt. data.
They also passed on threat intelligence & defensive strategies to Ukraine’s government so that it could better defend against attacks on military institutions & manufacturers & several other Ukrainian govt. agencies.
“This work is ongoing,” Smith commented.
Ongoing Cyberwar
Microsoft’s news about Fox Blade comes as just 1 of a continuing range of cyber assaults targeting both Ukraine & Russia: a barrage that is included the Conti ransomware gang proclaiming that it is pro-Russia.
The extortionists put out a warning in their blog, threatening to use Conti’s “full capacity” to retaliate in the face of “Western warmongers attempt to target critical infrastructure in Russia or any Russian-speaking part of the world.”
A pro-Ukraine Conti ransomware gang member subsequently revealed 13 months of the ransomware group’s chats, promising more.
‘Hermetic Wiper’
ESET & Broadcom’s Symantec also observed that they had discovered a new data wiper malware dubbed Hermetic Wiper, that’s been used against 100s of machines in Ukraine. One of the malware samples was compiled back on Dec. 28, pointing to the attacks having been readied 2 months earlier.
On Jan. 13, a destructive wiper malware – posing as ransomware attacks – named Whisper Gate began to target Ukrainian organisations: an attack that analysts observed was probably part of Russia’s bigger effort to undermine Ukraine’s sovereignty.
In mid-Feb., institutions central to Ukraine’s military & economy – including govt. & banking websites – were hit with a wave of DDoS attacks.
CISA’s Take-Shelter Advice
The US Cybersecurity & Infrastructure Security Agency (CISA) last week warned that such attacks could spill over Ukraine’s borders.
“Destructive malware can present a direct threat to an organisation’s daily operations, impacting the availability of critical assets & data,” CISA said.
“Further disruptive cyber-attacks against organisations in Ukraine are likely to occur & may unintentionally move over to organisations in other countries.”
Other threats related to the Ukraine/Russia war include the usual threat players who exploit headlines, which convey the haze & confusion of war. Malwarebytes has found malicious email on the subject line “Microsoft account unusual sign-in activity.”
US CISA
The US CISA provided this list of “Immediate Shields Up Actions” to protect against this wide range of cyber threats:
- Patch vulnerabilities.
- Use MFA.
- Run antivirus.
- Enable strong spam filters to prevent phishing emails from reaching end users.
- Disable ports & protocols that are not essential.
- Strengthen controls for cloud services.