WhisperGate

As Russia’s invasion of Ukraine continues into its second year and Microsoft continues to collaborate with global partners in response, the exposure of destructive cyber capabilities and information operations provide greater clarity into the tools and techniques used by Russian state-sponsored threat actors. Throughout the conflict, Russian threat actors have deployed a variety of destructive capabilities with varying levels of sophistication and impact, which showcase how malicious actors rapidly implement novel techniques during a hybrid war, along with the practical limitations of executing destructive campaigns when significant operational errors are made and the security community rallies around defense. These insights help security researchers continuously refine detection and mitigation capabilities to defend against such attacks as they evolve in a wartime environment.

Leading up to Russia’s unprovoked attack against Ukraine, threat actors deployed destructive malware against organizations in Ukraine to destroy computer systems and render them inoperable. On January 15, 2022, the Microsoft Threat Intelligence Center (MSTIC) disclosed that malware, known as WhisperGate, was being used to target organizations in Ukraine. According to Microsoft, WhisperGate is intended to be destructive and is designed to render targeted devices inoperable. On February 23, 2022, several cybersecurity researchers disclosed that malware known as HermeticWiper was being used against organizations in Ukraine.

Destructive malware can present a direct threat to an organization’s daily operations, impacting the availability of critical assets and data. Further disruptive cyberattacks against organizations in Ukraine are likely to occur and may unintentionally spill over to organizations in other countries. Organizations should increase vigilance and evaluate their capabilities encompassing planning, preparation, detection, and response for such an event.

Threat actors have deployed destructive malware, including both WhisperGate and HermeticWiper, against organizations in Ukraine to destroy computer systems and render them inoperable. CISA recommends organizations review the resources listed below for more in-depth analysis and see the Mitigation section for best practices on handling destructive malware. On January 15, 2022, Microsoft Threat Intelligence Center (MSTIC) announced the identification of a sophisticated malware operation targeting multiple organizations in Ukraine. The malware, known as WhisperGate, has two stages that corrupts a system’s master boot record, displays a fake ransomware note, and encrypts files based on certain file extensions. Note: although a ransomware message is displayed during the attack, Microsoft highlighted that the targeted data is destroyed, and is not recoverable even if a ransom is paid.

Destructive malware may use popular communication tools to spread, including worms sent through email and instant messages, Trojan horses dropped from websites, and virus-infected files downloaded from peer-to-peer connections. Malware seeks to exploit existing vulnerabilities on systems for quiet and easy access. The malware has the capability to target a large scope of systems and can execute across multiple systems throughout a network. As a result, it is important for organizations to assess their environment for atypical channels for malware delivery and/or propagation throughout their systems.

Microsoft uses DEV-#### designations as a temporary name given to an unknown, emerging, or a developing cluster of threat activity, allowing MSTIC to track it as a unique set of information until it reachs a high confidence about the origin or identity of the actor behind the activity. Once it meets the criteria, a DEV is converted to a named actor or merged with existing actors. In April 2023 Microsoft Threat Intelligence shifted to a new threat actor naming taxonomy aligned around the theme of weather. DEV-0586 is now tracked as Cadet Blizzard.

In an indictment unsealed 05 September 2024, a grand jury in Maryland charged six computer hackers, all of whom were residents and nationals of the Russian Federation (Russia), with conspiracy to commit computer intrusion and wire fraud conspiracy. Five of the defendants were officers in Unit 29155 of the Russian Main Intelligence Directorate (GRU), a military intelligence agency of the General Staff of the Armed Forces. The sixth individual was a civilian already under indictment for conspiracy to commit computer intrusion and is now also charged with wire fraud conspiracy.

Concurrent with the return of the indictment, the U.S. Department of State’s Rewards for Justice program is offering a reward of up to $10 million for information on any of the defendants’ locations or their malicious cyberactivity.

The indictment alleges that these GRU hackers and their co-conspirator engaged in a conspiracy to hack into, exfiltrate data from, leak information obtained from and destroy computer systems associated with the Ukrainian Government in advance of the Russian invasion of Ukraine. The defendants did so in order to sow concern among Ukrainian citizens regarding the safety of their government systems and personal data. The defendants’ targets included Ukrainian Government systems and data with no military or defense-related roles. Later targets included computer systems in countries around the world that were providing support to Ukraine, including the United States and 25 other North Atlantic Treaty Organization (NATO) countries.

“The GRU’s WhisperGate campaign, including targeting Ukrainian critical infrastructure and government systems of no military value, is emblematic of Russia’s abhorrent disregard for innocent civilians as it wages its unjust invasion,” said Assistant Attorney General Matthew G. Olsen of the National Security Division. “Today’s indictment underscores that the Justice Department will use every available tool to disrupt this kind of malicious cyber activity and hold perpetrators accountable for indiscriminate and destructive targeting of the United States and our allies.”

“Since July 2021, the U.S. Department of State’s Rewards for Justice (RFJ) program, administered by the Diplomatic Security Service (DSS), has offered a reward of up to $10 million for information leading to the identification or location of any person who, while acting at the direction or under the control of a foreign government, participates in certain malicious cyber activities against U.S. critical infrastructure in violation of the Computer Fraud and Abuse Act,” said DSS Deputy Assistant Secretary for Threat Investigations and Analysis Paul Houston. “Under this reward offer, the RFJ program is seeking information leading to the location of these individuals, GRU’s malicious cyber activity or associated individuals and entities.”

“Today’s superseding indictment underscores our commitment to using all the tools at our disposal to pursue those who would do us and our allies around the world harm,” said U.S. Attorney Erek L. Barron for the District of Maryland. “Cyber intrusion schemes such as the one alleged threaten our national security, and we will use all the technologies and investigative measures at our disposal to disrupt and track down these cybercriminals.”

“Through strokes on a keyboard, the accused criminals used computers to cross into countries, hunting for weaknesses and seeking to harm. The FBI and our law enforcement partners, both national and international, will collectively defend against Russia’s aggressive and illegal actions,” said Special Agent in Charge William J. DelBagno of the FBI Baltimore Field Office. “We are united in identifying, prosecuting and protecting against future crimes and vow to relentlessly hunt down and counter these threats.”

The defendants charged in the indictment are: Yuriy Denisov, a colonel in the Russian military and a commanding officer of Cyber Operations for Unit 29155; four lieutenants in the Russian military assigned to Unit 29155 who worked on cyber operations: Vladislav Borovkov, Denis Denisenko, Dmitriy Goloshubov and Nikolay Korchagin ; and a civilian co-conspirator, Amin Sitgal .

According to court documents, on Jan. 13, 2022, the defendants conspired to use a U.S.-based company’s services to distribute malware known in the cybersecurity community as “WhisperGate,” which was designed to look like ransomware, to dozens of Ukrainian government entities’ computer systems. However, as the indictment alleges, WhisperGate was actually a cyberweapon designed to completely destroy the target computer and related data in advance of the Russian invasion of Ukraine. Ukrainian government networks subjected to this attack included the Ukrainian Ministry of Internal Affairs, State Treasury, Judiciary Administration, State Portal for Digital Services, Ministry of Education and Science, Ministry of Agriculture, State Service for Food Safety and Consumer Protection, Ministry of Energy, Accounting Chamber for Ukraine, State Emergency Service, State Forestry Agency and Motor Insurance Bureau.

In conjunction with these attacks, the defendants compromised several of the targeted Ukrainian computer systems, exfiltrated sensitive data, including patient health records and defaced the websites to read: “Ukrainians! All information about you has become public, be afraid and expect the worst. This is for your past, present and future.” That same day, the defendants offered the hacked data for sale on the internet.

The U.S. government previously joined with allies and partners in May 2022 to attribute this cyber-attack to the Russian military and to condemn the attack and similar destructive cyber activities against Ukraine. In August 2022, the defendants also hacked the transportation infrastructure of a Central European country that was supporting Ukraine. Beginning in August 2021, the defendants also probed a variety of protected computer systems including those associated with 26 NATO member countries, searching for potential vulnerabilities. The indictment further alleges that from Aug. 5, 2021, to Feb. 3, 2022, the defendants leveraged the same computer infrastructure they used in the Ukraine-related attacks to probe computers belonging to a federal government agency in Maryland in the same manner as they had initially probed the Ukrainian Government networks.

This indictment is part of an international effort, Operation Toy Soldier, to combat the malicious cyber activity by Unit 29155 of the GRU. Accompanying today’s announcement, the FBI and 12 other partners, representing governments of nine countries, released a Joint Cybersecurity Advisory to enhance network defense efforts against Unit 29155’s malicious cyber activities.