Hackers who recently unleashed a destructive cyberattack against Ukrainian government networks have been lying in wait for months, according to new findings shared with The Daily Beast—and, cybersecurity analysts said, the attacks seem to have links to the Russian military.
The hackers, who only recently attacked the Ukrainian government by releasing data-destroying wiper malware this month, actually originally broke in "as far back as late summer 2021” and have been waiting to pounce since, said Matt Olney, the director of threat intelligence and interdiction at Cisco Talos, a cybersecurity research outfit.
“We have a very sophisticated, very capable adversary,” Olney told The Daily Beast. The “adversary is very intent on trying to find a way to advance their political objectives.”
The news comes as Russia has been deploying troops towards Ukraine for months, ratcheting up tensions between the two nations and setting off concerns around the globe that President Vladimir Putin might decide to launch an attack and invade, years after annexing Crimea and backing separatists in Eastern Ukraine.
President Joe Biden said Wednesday he thinks Russia is prepared to “move in” on Ukraine, and the State Department ordered the evacuation of family members at the U.S. Embassy in Kyiv, in a signal that conflict was becoming inevitable.
In the buildup to greater conflict, Biden warned Russia might carry out a multi-pronged attack that could include cyberattacks.
Biden might already be correct.
The destructive malware, which researchers are calling “WhisperGate,” could mean Ukrainian government officials might have difficulty operating in a crisis, kneecapped before a war even begins.
The news of the attacks comes just as the British government warned Saturday that Putin had drawn up a plan to install a pro-Russia regime in Kyiv in the fog of war.
Governments haven’t officially blamed Russia for the destabilizing hack just yet—but there’s a lot of fingerpointing towards Moscow.
Researchers told The Daily Beast the malware, although it was disguised to look like ransomware, shares certain traits with destructive wipers from a Russian military intelligence hacking group with ties to the Russian GRU, known as Sandworm.
In 2015, the hacking group went after Ukraine’s power grid, causing power outages for hundreds of thousands of Ukrainians in the dead of winter.
”What they did right before that [power outage] incident… they actually used this kill disk wiper,” John Hultquist, Mandiant’s vice president of intelligence analysis, told The Daily Beast. ”From the beginning wipers have been a big piece of how these guys operate.”
This tactic—using destructive malware—is a classic Russian move that Moscow has used countless times before as tensions with Ukraine and other countries have sparked.
Russian hackers were behind the sweeping destructive attacks of 2017 known as NotPetya, which caused billions of dollars in damages around the world. Cyberattacks rained down on Georgia in 2008, too, when Russia started a shooting war to go after some territory in the country.
Destabilizing cyber-operations like this in Ukraine could serve as a sinister signal that this is just the opening salvo, Steve Hall, the former CIA chief of Russia operations, told The Daily Beast.
“Any good cyber-intrusion set spends a good amount of time just running around a new network and a system to identify where the weaknesses are to implant itself in a way that can report back to Moscow later on… they can activate whenever they want it to, certainly if the threat of war becomes more likely,” Hall told The Daily Beast.
It wasn’t the first cyber-shakeup in Ukraine this past week. The discovery of the wiper malware, which researchers at Microsoft first observed, came just as hackers plastered a warning across several Ukrainian government websites, including the ministries of Defense and Foreign Affairs: “Be afraid and expect the worst.”
According to preliminary results from a joint investigation from Ukraine’s cybersecurity agency—the State Service for Special Communication and Information Protection—Russia is behind the cyberattack.
U.S. authorities have not officially pinned the blame on any hacking group just yet. But, again, the hit bears similarities to operations from Russian hacking groups, including Sandworm and Fancy Bear—the same band of Russian military hackers that compromised the Hillary Clinton campaigns and the Democratic National Committee in 2016—according to Mandiant researchers.
But taking the defacement and the wiper malware operations together shows the hybrid warfare may be escalating.
“There’s absolutely more to come,” Hall told The Daily Beast. “We’ve seen that as [Russia] prepared the battlefield in the past—we saw it in Georgia… they’ve gotten better and better at it.”