The U.S. government is sounding alarms after Microsoft reported a series of attacks targeting networks in Ukraine.
The Cybersecurity and Infrastructure Security Agency (CISA) passed on warnings from the software giant over multiple discoveries of a new family of "destructive malware" that seeks to erase data on targeted systems under the guise of being a ransomware attack.
CISA warned that, unlike a normal ransomware attack that offers victims the ability to retrieve their data after paying out, the attacks seen in Ukraine simply wipe the host regardless of payment status.
The malware, referred to as WhisperGate by Microsoft, targets the master boot record (MBR) of the target and renders the machine inoperable.
"According to Microsoft, powering down the victim device executes the malware, which overwrites the MBR with a ransom note; however, the ransom note is a ruse because the malware actually destroys the MBR and the targeted files," CISA said.
The malware, according to a Microsoft blog post Saturday, is only thinly veiled as a piece of ransomware. While claiming to ask for a ransom payment, the malware corrupts all files and the MBR without any possible path for recovery.
"At present and based on Microsoft visibility, our investigation teams have identified the malware on dozens of impacted systems and that number could grow as our investigation continues," Microsoft said.
"These systems span multiple government, non-profit, and information technology organizations, all based in Ukraine."
The attacks, which all targeted machines based in Ukraine, are likely not a coincidence. The country finds itself in crisis as Russia is threatening an invasion, and any strife between the two nations could include cyber attacks on critical infrastructure.
State-sponsored malware attacks are no longer a novel occurrence and have become the norm when nation-states come to blows. The U.S. and Israel were reportedly behind the Stuxnet attack on Iranian nuclear facilities in 2010, and the Wannacry ransomware attacks were traced back to nation-state hackers in North Korea. WannaCry was similar to WhisperGate in that the ransomware was used as a data wiper rather than an extortion tool.
While Microsoft did not formally attribute the attacks to a specific entity, the company made it clear that the malware was the work of someone with the backing of a government.
"As with any observed nation-state actor activity, Microsoft directly and proactively notifies customers that have been targeted or compromised, providing them with the information they need to guide their investigations," Microsoft said.
"MSTIC [Microsoft Threat Intelligence Center] is also actively working with members of the global security community and other strategic partners to share information that can address this evolving threat through multiple channels."