WASHINGTON — Microsoft warned Saturday night that it had detected a highly destructive form of malware in dozens of government and private computer networks in Ukraine that appeared to be waiting to be activated by an unknown actor.
In a blog post, the company said that on Thursday — around the same time that government agencies in Ukraine discovered their websites had been breached — researchers overseeing Microsoft’s global networks discovered the code. “These systems include multiple government, non-profit and information technology organizations, all based in Ukraine,” Microsoft said.
The code appears to have been put in place around the time Russian diplomats, after three days of meetings with the United States and NATO over massive Russian troops on the Ukrainian border, declared that talks had essentially reached a dead end.
Ukrainian officials blamed a group in Belarus for the corruption of their government websites, though they said they suspected Russian involvement. But early attribution of attacks is often wrong, and it was unclear whether the defacement was related to the much more destructive code Microsoft said it detected.
Microsoft said it could not yet identify the group behind the break-in, but it did not appear to be an attacker its investigators had seen before.
The code, as described by the company’s researchers, is intended to look like ransomware: it freezes all computer functions and data and asks for payment in return. But there is no infrastructure to accept money, leading researchers to conclude that the goal is to inflict maximum damage, not to raise money.
It’s possible that the destructive software hasn’t spread too widely and that Microsoft’s disclosure will make it more difficult for the attack to make metastases. But it is also possible that the attackers are now launching the malware and trying to destroy as many computers and networks as possible.
Warnings like Microsoft’s can help abort an attack before it happens, if computer users try to eradicate the malware before it fires. But it can also be risky. Exposure changes the calculus for the culprit, who, once discovered, may have nothing to lose in launching the attack, to see what destruction it wreaks.
For President Vladimir V. Putin of Russia, Ukraine has often been a testing ground for cyber weapons.
An attack on Ukraine’s Central Electoral Commission during a 2014 presidential election, in which Russia unsuccessfully attempted to change the outcome, proved to be an example for Russian intelligence; the United States later discovered that they had infiltrated the Democratic National Committee servers in the United States. In 2015, the first of two major attacks on Ukraine’s electricity grid left lights out for hours in several parts of the country, including in the capital’s Kiev.
And in 2017, businesses and government agencies in Ukraine were hit by destructive software NotPetya, which exploited holes in a type of tax preparation software widely used in the country. The attack shut down parts of the economy and also hit FedEx and the shipping company Maersk; US intelligence agencies later traced it to Russian actors. That software, at least in its overall design, bears some resemblance to what Microsoft warned about on Saturday.
The new attack would wipe hard drives and destroy files. Some defense experts have said such an attack could be a prelude to a ground invasion by Russia. Others think it could replace an invasion, if the attackers thought a cyber-attack wouldn’t lead to the sort of major sanctions President Biden has sworn in response.
