Destructive malware used against Ukraine: Microsoft

Evidence of a destructive malware operation targeting multiple organisations in Ukraine has been identified by Microsoft Threat Intelligence Center (MSTIC). On January 13, MSTIC identified intrusion activity originating from Ukraine that appeared to be possible Master Boot Records (MBR) Wiper activity, it said in a blogpost.

“During our investigation, we found a unique malware capability being used in intrusion attacks against multiple victim organisations in Ukraine,” it said. 

The malware is designed to appear like a ransomware but do not have a ransom recovery mechanism. It is made to be destructive, wherein it can inflict the targeted devices inoperable rather than to extract ransom, said MSTIC.     

While the investigation is on, MSTIC has not found any notable association between this observed activity tracked as DEV-0586, and other known activity groups. 

“At present and based on Microsoft visibility, our investigation teams have identified the malware on dozens of impacted systems and that number could grow as our investigation continues. These systems span multiple government, non-profit, and information technology organisations, all based in Ukraine,” said a Microsoft blog.  

“We do not know the current stage of this attacker’s operational cycle or how many other victim organisations may exist in Ukraine or other geographic locations. However, it is unlikely these impacted systems represent the full scope of impact as other organisations are reporting,” it added. 

According to MSTIC, it is not able to gauge the intent of the identified destruction actions but “does believe these actions represent an elevated risk to any government agency, non-profit or enterprise located or with systems in Ukraine.”