Destructive Hacks Against Ukraine Echo Its Last Cyberwar

Neither the malware nor the ransom message appears customized for each victim in this campaign, suggesting the hackers had no intention of tracking victims or unlocking the machines of those who pay.Both of the malware's destructive techniques, as well as its fake ransomware message, carry eerie reminders of data-wiping cyberattacks Russia carried out against Ukrainian systems from 2015 to 2017, sometimes with devastating results. In the 2015 and 2016 waves of those attacks, a group of hackers known as Sandworm, later identified as part of Russia's GRU military intelligence agency, used malware similar to the kind Microsoft has identified to wipe hundreds of PCs inside Ukrainian media, electric utilities, railway system, and government agencies including its Treasury and pension fund.Those targeted disruptions, many of which used similar fake ransomware messages in an attempt to confuse investigators, culminated with Sandworm's release of the NotPetya worm in June of 2017, which spread automatically from machine to machine within networks. "We’ve been specifically warning our customers of a destructive attack that appeared to be ransomware," says John Hultquist, who leads Mandiant's threat intelligence.Microsoft has been careful to point out that it has no evidence of any known hacker group's responsibility for the new malware it discovered.