WhisperGate: New type of malware attack in Ukraine
by Tina Siering
What is WhisperGate?
The first reports of cyberattacks in Ukraine emerged during January 13. In the following days, reports of attacks following the same pattern increased. Numerous websites and networks, especially those of authorities and government organizations in Ukraine, fell victim to the attack within a few days. In response to the threat, the authorities themselves shut down more websites and online services. By disconnecting them from the network, IT security officials wanted to prevent hackers from gaining access to the systems in case they were also compromised.
As a result, either due to the attack itself or the voluntary shutdown of systems, many government digital services in Ukraine became inaccessible. Among others, the websites of the Ministry of Foreign Affairs, the Security and Defense Council, and the Ukrainian Cabinet were affected.
What malware is used in the WhisperGate attacks?
The malware used in the WhisperGate attacks shows an interesting attack pattern: It presents a short message on the screen of the affected system, which is familiar from extortion letters used in ransomware attacks. In the text, the address of a digital wallet is issued and a request to pay a ransom is displayed. Access to the computer is no longer possible from that point on. The message promises that after the payment, the hackers will release the data again if the owner of the system contacts them via the instant chat messenger Tox.chat, stating the organization name.
However, in fact, there is no way to restore, release or otherwise recover the data on the system. This is because it is not a ransomware at all, as it seems at first glance. Rather, the malware used in WhisperGate belongs to the group of wipers. Wipers are malicious programs programmed to destroy the contents of a hard drive.
WhisperGate has two stages: In the first, it overwrites the hard drive's Master Boot Record (MBR). The MBR is the first sector of a hard drive that contains the information necessary to allow the operating system to boot. Thus, by destroying the MBR, it is initially no longer possible to boot the system or access the operating system.
In the second phase, further malware is loaded. For this purpose, the malware contacts a Discord channel, a communication software that is particularly popular among video gamers. From there, the malware loads a program that is designed to scan the hard drive contents for data with predefined extensions. The actual data stored on the system is still there, at this point, only access via the operating system is blocked. The second phase, on the other hand, searches for documents belonging to Office, data from web servers ending in .php or .html, and all kinds of digital images and databases, for example. An analysis by IT security experts revealed that the second phase searches for 189 different extensions. Found contents are overwritten by the malware with the four bytes 0xCC, thus destroying them irretrievably.
What is the target of the WhisperGate attack?
The first target of the WhisperGate attack is rather easy to identify. Wiper-class malware has the task of causing as much damage as possible. This type of malware is always used when it is necessary to disrupt or even completely interrupt the work of organizations. Another goal is to destroy data as irretrievably as possible. The attackers have no financial interest. Because unlike a ransomware attack, with WhisperGate it is no longer possible to decrypt the data and thus restore it. They are lost forever.
However, what the actual motivation of the perpetrators is in the specific case of the WhisperGate attacks is a matter of dispute among experts. The targets for the attacks were obviously chosen deliberately and carefully. This is evident, on the one hand, from the fact that only networks in Ukraine were affected. On the other hand, the precise selection of the targets also suggests that the victims were deliberately selected. Apparently, the attackers have an interest in disrupting the governmental activity of Ukraine as well as the nationwide authorities. In addition, the fact that the attack was triggered at a specific time also speaks for centralized control of the malware.
Who stands behind the cyberattack?
The second interesting question is who places and controls the malware. This question basically arises with all cyberattacks. Already with ransomware attacks, it is difficult to find the originator behind the attacks. The more sophisticated and targeted the attackers are, the more eager they are to cover their own tracks. This is also the case in the WhisperGate attack.
One assumption is that a state-controlled hacker group is behind the WhisperGate attack. Such incidents are not new, but they are difficult to prove. This is because the actors in such cases are specialists in hacking and IT security, as well as enjoying state protection. Complex networks with command and control servers are used to contact and control the malware, which are so nested that it is impossible to clearly assign them to a specific country or perpetrator. As in this case, when a publicly accessible platform was interposed with Discord, which initially does not allow any conclusions to be drawn about the origin of the attack.
In an initial statement on the incidents, Serhij Demedjuk, the deputy secretary of Ukraine's National Security and Defense Council, expressed suspicions that it could be a state-controlled cyberattack. Thus, Demedjuk informed the public that Ukrainian authorities believe that the UNC1151 hacking group associated with Belarus was behind the cyberattack.
This group is suspected of cooperating with the Belarusian intelligence service and also being involved in state espionage. The suspicion is based on the origins of the malware, which resembles programs previously used by UNC1151. Further suspicions are based on similar analysis and establish a possible connection with the APT29 group. This is also known as Cozy Bear and is suspected of working with the Russian intelligence agency SWR. The suspicions are made in the context of the tense political situation between Ukraine and Russia, which has escalated again in recent months.
Which measures provide protection against these and similar attacks?
In principle, attacks like the WhisperGate case are among the most dangerous cyberthreats. They fall into the category of APTs, or Advanced Persistent Threats. These are complex and targeted attacks that are planned and prepared for a long time. Conventional means of IT security technology, such as antivirus software or strict rules in the firewall, do not prevent APTs or identify attacks in progress.
Only after the malware has become active in the public domain and has accomplished its task do virus software manufacturers have the opportunity to include the malware's signatures in their library. This also happened in the WhisperGate case. Microsoft Threat Intelligence Center started updating its own antivirus solutions immediately after the incident. However, APTs like WhisperGate usually use malware that is specially adapted for this purpose. For this reason, antivirus programs are generally powerless.
The hackers proceed differently in an APT than in large-scale attacks, where the aim is to compromise as many systems as possible. The focus is on a specific victim and the target is also clear before the attack begins. Accordingly, the attackers specifically look for a way to infiltrate the network unnoticed. How long the preparation took at WhisperGate is still unknown.
Early attack detection solutions are needed to defend against such APTs. Specialized IT security defense programs that actively monitor all actions on a network in real time. This is done by directly accessing the logs of databases, routers and other systems, as well as monitoring logins and similar user events. Early attack detection identifies unusual activities in these areas that do not match the normal behavior patterns of users and programs. Current solutions rely on artificial intelligence for this purpose and are capable of learning. This improves the differentiation between regular actions in a network as well as activities that indicate a cyber attack. In such a case, the early attack detection alerts the responsible persons in IT so that an immediate review of the incident is possible.
Such solutions for active early attack detection are not only needed by government institutions. Companies are also increasingly becoming the target of cybercriminals. Those who penetrate a network undetected have plenty of time to put their plans into action. This ranges from espionage as part of white-collar crime to encrypting the entire network using ransomware. Here, attackers not infrequently even manage to find the backup systems in the network and compromise them as well. This is a major disaster for companies and IT managers, because it may no longer be possible to restore the data. In a fully digitized world, this is a disaster. However, early attack detection gives IT the opportunity to stop hackers even before they put their plans into action.
Conclusion on the WhisperGate attack in Ukraine
The cyberattacks on government facilities in Ukraine show once again how important the issue of IT security is for businesses today. Targeted attacks are among the most dangerous threats. The frequency of such attacks is constantly increasing. Classic security technologies such as antivirus software only respond to known threats and are unable to detect active hackers once they have gained access to the network. Therefore, it makes sense to invest in early attack detection to improve the security of digital information on the network.