WhisperGate Behind Ukraine Cyber Attack

A destructive malware being used in cyberattacks against the Ukraine government. A MBR wiper kind of destructive malware dubbed as WhisperGate is been used in the attack which would brick the devices resulting in a data loss

Microsoft says it has not found any notable associations between the observed activity which it tracks as DEV-0586 and other known threat groups, Ukraine said Sunday it had “evidence” that Russia was behind the attacks.

The investigation teams have identified the malware on dozens of impacted systems and that number could grow as our investigation continues. These systems span multiple government, non-profit, and information technology organizations, all based in Ukraine.

The existence of wiper malware disguised as ransomware is not new. WhisperGate or DEV-0586 as Microsoft calls it has a similar resemblance to NotPetya discovered back in 2017 which is also a wiper malware disguised as a ransomware. NotPetya at that time has crippled many companies in Ukraine, France Russia, Spain and the United States.

Overwriting MBR would render the machine unbootable, making recovery impossible especially when the malware also overwrites file contents before overwriting the MBR.

Perhaps, the bitcoin wallet address and communication channel in the ransom note of WhisperGate is a smoke screen to divert attention of the attacker’s true intention of the attack while making it harder to track them.

Indicator of Compromise

• a196c6b8ffcb97ffb276d04f354696e2391311db3841ae16c8c9f56f36a38e92
• dcbbae5a1c61dbbbb7dcd6dc5dd1eb1169f5329958d38b58c3fd9384081c9b78

Windows Defender Detections

• DoS:Win32/WhisperGate.A!dha
• DoS:Win32/WhisperGate.C!.dha
• DoS:Win32/WhisperGate.H!dha
• DoS:Win32/WhisperGate.X!dha