The attack comes as the threat of a Russian invasion of
Ukraine looms and diplomatic talks to resolve the tense stand-off appear
stalled.
Microsoft said in a short blog post that amounted to the
clanging of an industry alarm that it first detected the malware on Thursday.
That would coincide with the attack that simultaneously took some 70 government
websites temporarily offline.
The disclosure followed a Reuters report earlier in the day
quoting a top Ukrainian security official as saying the defacement was indeed
cover for a malicious attack.
Separately, a top private sector cybersecurity executive in
Kyiv told The Associated Press how the attack succeeded: The intruders
penetrated the government networks through a shared software supplier in a
so-called supply-chain attack in the fashion of the 2020 SolarWinds Russian
cyberespionage campaign targeting the U.S. government
Microsoft said in a different, technical post that the
affected systems “span multiple government, non-profit, and information
technology organizations.” It said it did not know how many more organizations
in Ukraine or elsewhere might be affected but said it expected to learn of more
infections.
“The malware is disguised as ransomware but, if activated by
the attacker, would render the infected computer system inoperable,” Microsoft
said. In short, it lacks a ransom recovery mechanism.
Microsoft said the malware “executes when an associated
device is powered down,” a typical initial reaction to a ransomware attack.
Microsoft said it was not yet able to assess the intent of
the destructive activity or associate the attack with any known threat actors.
The Ukrainian security official, Serhiy Demedyuk, was quoted by Reuter s as
saying the attackers used malware similar to that used by Russian intelligence.
He is deputy secretary of the National Security and Defense Council.