Last week, hackers defaced the websites of more than 70 government agencies, according to Viktor Zhora, deputy chief of Ukraine’s State Service of Special Communication and Information Protection. More worryingly, the hackers also installed destructive “wiper” software designed to render computer systems inoperable in at least two government agencies, he said.
Russia has denied any involvement in the cyberattacks.
The attack was at least several weeks in the making, and perhaps more, according to experts. Mr. Zhora said the first signs of a hack date back to late 2021. Data from Cisco Systems Inc. shows that the software was present in some networks even earlier. Cisco initially traced the intrusion to November, but on Thursday, the company said new data analysis indicated it may have begun in late summer, according to Matthew Olney, Cisco’s director of threat intelligence and interdiction.
The discovery of the wiper software, dubbed WhisperGate by Microsoft Corp. , is “particularly alarming,” because previous outbreaks of this type of software have caused world-wide disruptions, the U.S. Cybersecurity and Infrastructure Security Agency warned on Tuesday.
Some security researchers worry the attacks might presage a larger operation, but so far, the hacks are notable for how limited they appear, and amount to a fraction of the damage—or sophistication—Western officials believe Moscow is capable of inflicting on Ukraine.
President Biden said Russian President Vladimir Putin may opt for “something significantly short of a significant invasion” during a news conference Wednesday, and he cited cyberattacks as an example of a “minor incursion” that might not prompt as strong of a response from the U.S. and its allies.
After the news conference, White House press secretary Jen Psaki said in a statement that Mr. Biden “knows from long experience that the Russians have an extensive playbook of aggression short of military action, including cyberattacks and paramilitary tactics. And he affirmed today that those acts of Russian aggression will be met with a decisive, reciprocal, and united response.”
Dmitry Peskov, Mr. Putin’s press secretary, said on CNN earlier this week that Russia had “nothing to do” with the hacks. A spokesman with the Russian Embassy in Washington didn’t return messages seeking comment.
While Ukrainian officials said they believe the intrusions were carried out by the Kremlin or at least sponsored by Moscow, experts tracking the intrusions say they have unearthed no technical details yet of the attack definitively linking it to Russia or its proxies.
Oleksiy Danilov, secretary of Ukraine’s National Security and Defense Council, said in an interview Tuesday the cyberattacks could have been carried out by a Belarusian group working with or at the behest of Russia, which has strong control over its neighbor.
Either way, “we are sure that Russia is behind it,” he said. “They are one space,” he said of Russia and Belarus. Belarus’s Embassy in Washington didn’t respond to emails seeking comment.
A convoy of Russian armored vehicles moving along a highway in Crimea in January.
Photo: /Associated Press
The timing of the attacks occurred as Russia has amassed tens of thousands of troops at Ukraine’s border and demanded the North Atlantic Treaty Organization give a binding guarantee never to grant the former Soviet republic membership.
“Cyberwar and cyber aggression is part of general aggression against Ukraine by the Kremlin,” said Mr. Zhora of Ukraine. Dozens of individual government computers have been affected by the WhisperGate wiper malware, though it remains unclear how the hackers gained initial access into the targeted systems, he said.
WhisperGate was designed to look like ransomware, but its true purpose was to destroy systems, say security experts who have analyzed the code. It renders systems inoperable whether its ransom demand is paid or not, they say.
That makes it similar to a devastating 2017 worm known as NotPetya that began in Ukraine before unfurling across Europe and the globe, wreaking havoc that cost some companies hundreds of millions in damages. But there are important differences between the two.
Overall, WhisperGate is a less sophisticated piece of software than NotPetya, said Anton Cherepanov, a researcher with the antivirus company ESET. NotPetya made a much better use of encryption to conceal its purpose from security researchers, he said.
Another difference: Unlike WhisperGate, NotPetya was designed to spread as a computer worm from computer-to-computer,
NotPetya infected more than 12,500 computers in Ukraine, according to Microsoft. WhisperGate affected only a few dozen systems within Ukraine’s government, Mr. Zhora said.
“The piece it is missing is scale,” said John Hultquist, director of intelligence analysis at the U.S.-based cyber intelligence firm Mandiant who has tracked Russia’s most destructive hacking teams.
Mr. Hultquist said NotPetya and other major attacks linked to Russia have typically either disrupted critical infrastructure, leading to widespread impact, or relied on either a supply-chain hack or strategic web compromise to infect scores of victims. The recent activity in Ukraine so far appears to lack either of those components, though it is possible those elements exist but haven’t been activated yet, he said.
The aim of the attack might have been to demoralize Ukraine rather than destroy computers, said Thomas Rid, professor of strategic studies at Johns Hopkins University. It appears that “the goal here is to inject uncertainty, to inject a little bit of panic” within Ukraine, he said.
Mr. Zhora said the government agencies hit with the WhisperGate software were very important but not related to the operations of critical infrastructure.
The Ukrainian government is exploring several theories as to how it occurred, including a vulnerability in government systems or a hack of a trusted supplier, Mr. Zhora said.
Kitsoft, a Kyiv-based company that manages websites for the Ukrainian government, had about 30 of its customers hit during the cyberattack, a spokeswoman for the company said. “The infrastructure of Kitsoft was also damaged during the hacker attack,” she said.
The Biden administration during the past week has issued warnings to U.S. critical-infrastructure operators and some businesses—especially those that work with Ukrainian organizations—about potential spillover consequences of the tensions between Moscow and Kyiv.
Mr. Zhora said Ukraine was on guard for more attacks, but conceded: “I cannot say we are well-prepared because you cannot get in [Mr. Putin’s] brain and predict his actions.”
—James Marson contributed to this article.
Write to Robert McMillan at Robert.Mcmillan@wsj.com and Dustin Volz at dustin.volz@wsj.com
Copyright ©2022 Dow Jones & Company, Inc. All Rights Reserved. 87990cbe856818d5eddac44c7b1cdeb8
