The Washington PostDemocracy Dies in Darkness

Data of several Ukrainian government agencies is wiped in cyberattack

A warning message in Ukrainian, Russian and Polish that appeared on the official website of Ukraine’s Foreign Ministry after a massive cyberattack. (Valentyn Ogirenko/Illustration/Reuters)

Several Ukrainian government agencies had their data wiped in a cyberattack that was coordinated with another attack that defaced government agency websites in recent days, according to the Ukrainian government and other individuals familiar with the incident.

The actor behind those attacks has not been officially determined, although the Ukrainian government has said it believes Russia is responsible.

The cyber aggression comes as Kyiv braces for a potential invasion by Russia, which has close to 100,000 troops massed on its border with Ukraine.

The presence of destructive malware on dozens of computers belonging to several Ukrainian government agencies was first reported by Microsoft in a blog post late Saturday. That malware, which Microsoft dubbed WhisperGate, “has been recorded in several institutions that have become victims of the attack,” the State Service of Special Communications and Information Protection of Ukraine said in a statement on Tuesday.

“Thus with a high probability it can be argued that the defacement of the websites of the attacked government agencies and the destruction of data using a wiper are components of one cyber attack aimed at as much damage as possible to the infrastructure of state electronic resources,” the agency said.

Microsoft discovers destructive malware on Ukrainian government computers

On Sunday, Ukraine’s Ministry of Digital Transformation issued a statement on the website defacements. “To date, it can be said that all the evidence points to Russia being behind the cyberattack,” the statement said. “Moscow continues to wage a hybrid war and is actively building up its forces in the information and cyberspace.”

The hack that defaced Ukrainian government agencies and other organizations’ websites Friday came with the ominous message: “Be afraid and expect the worst.”

The agencies whose computer disks were wiped provided “critical executive branch or emergency response functions,” Tom Burt, Microsoft’s vice president for customer security and trust, said in a separate blog post Saturday.

The malware is not known to have infected energy grids or other critical infrastructure, or military command and control systems. But losing the use of computer systems in a security crisis is a concern, said the officials, who have yet to determine how the malware was deposited on the systems.

Microsoft’s Threat Intelligence Center said in its blog post that once the malware is activated, it overwrites the contents of the computer’s “master boot record,” or the portion of the hard drive without which the operating system will not work.

Once that happens, the computer is essentially inoperable. Restoring functionality can be costly and time-consuming.

WhisperGate masqueraded as ransomware. Once it was activated, and once the computer was turned off and on again, a fake ransom note appeared, warning that the user’s hard drive had been corrupted and demanding $10,000 via bitcoin to restore it.

But the ransom note was a ruse, Microsoft said.

Yurii Shchyhol, head of the State Service of Special Communications and Information Protection of Ukraine, said in an interview Tuesday that he expects the agencies will be able to restore their data from backups. The work should be completed by Wednesday, he said.

One of the agencies affected, he said, was the Motor Vehicle Insurance Bureau.

Shchyhol said that Ukraine’s Cyber Emergency Response Team swung into action on 3:50 a.m. Friday when the website defacements were first detected.

He said the team has coordinated with the U.S. Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency.

Stern reported from Kyiv.