Skip to content

Microsoft links Russian military to cyber-attacks in Poland and Ukraine

    Microsoft links Russian military to cyber-attacks in Poland and Ukraine

    Getty Images

    Microsoft on Thursday pointed to Russian military intelligence as the likely culprit of ransomware attacks last month that targeted Polish and Ukrainian transport and logistics organizations.

    If the assessment by members of the Microsoft Security Threat Intelligence Center (MSTIC) is correct, it could be a cause for concern for the US government and its European counterparts. Poland is a member of NATO and a staunch supporter of Ukraine in its effort to avert an unprovoked Russian invasion. The hacking group, the software company linked to the cyberattacks — known as Sandworm in wider investigative circles and Iridium in Redmond, Washington — is one of the world’s most talented and destructive, and widely believed to be backed by Russian military intelligence GRU.

    Sandworm has been definitively linked to the 2017 NotPetya wiper attacks, a global outbreak that caused $10 billion in damage, according to a White House assessment, making it the costliest hack in history. Sandworm has also been definitively linked to hacks on Ukraine’s power grid that caused widespread power outages during the coldest months of 2016 and again in 2017.

    Enter Prestige

    Last month, Microsoft said transport and logistics organizations in Poland and Ukraine were targeted by cyberattacks that used never-before-seen ransomware billing itself as Prestige. The threat actors, Microsoft said, already had control over the victim networks. Then on October 11, the hackers deployed Prestige on all its victims in one hour.

    Once installed, the ransomware crawled through all files on the system of the infected computer and encrypted the contents of files ending in .txt, .png, gpg, and more than 200 other extensions. Prestige then added the .enc extension to the file’s existing extension. Microsoft attributed the attack to an unknown threat group that called it DEV-0960.

    On Thursday, Microsoft updated the report to say that based on forensic artifacts and overlaps in victimology, craft, capabilities and infrastructure, investigators determined that DEV-0960 was very likely Iridium.

    “The Prestige campaign may reveal a measured shift in Iridium’s destructive attack calculus, indicating an increased risk to organizations delivering or transporting humanitarian or military aid directly to Ukraine,” MSTIC members wrote. “More generally, it could pose an increased risk to organizations in Eastern Europe that could be viewed by the Russian state as support related to the war.”

    Thursday’s update further said that the Prestige campaign has distinguished itself from destructive attacks in the past two weeks that have used malware tracked as AprilAxe (ArguePatch)/CaddyWiper or Foxblade (HermeticWiper) to attack multiple critical infrastructures in Ukraine. While the researchers said they still don’t know which threat group is behind those acts, they now have enough evidence to point to Iridium as the group behind the Prestige attacks. Microsoft is in the process of informing customers “infected by Iridium but not yet redeemed,” they wrote.

    To underline the sophistication of the attacks, Iridium members used multiple methods to deploy Prestige on the targeted networks. They include:

    Windows scheduled tasks

    Microsoft

    encrypted PowerShell commandsand

    Microsoft

    Default Group Policy Objects for Domains

    Microsoft

    “Most ransomware operators develop a preferred set of tradecraft for their payload implementation and execution, and this tradecraft is generally consistent across victims unless a security configuration prevents their preferred method,” explained MSTIC members. “Before this Iridium activity, the methods used to deploy the ransomware in the victim environments varied, but it does not appear to be due to security configurations that prevent the attacker from using the same techniques. This is especially noteworthy because the ransomware deployments all happened within an hour.”

    The post contains technical indicators that can help people figure out if they are the target.

    Go to discussion…