Microsoft said that Ukrainian networks were targeted with recently found malware several hours before Russia’s invasion of Ukraine on February 24th.
Researchers with the Microsoft Threat Intelligence Center (MSTIC) observed destructive attacks targeting Ukraine and spotted a malware strain they named FoxBlade (VirusTotal scan available here).
This malware was previously spotted by cybersecurity firms Symantec and ESET one day before the invasion started and dubbed HermeticWiper by SentinelOne principal threat researcher Juan Andres Guerrero-Saade.
“Several hours before the launch of missiles or movement of tanks on February 24, Microsoft’s Threat Intelligence Center (MSTIC) detected a new round of offensive and destructive cyberattacks directed against Ukraine’s digital infrastructure,” Microsoft President and Vice-Chair Brad Smith said.
“We immediately advised the Ukrainian government about the situation, including our identification of the use of a new malware package (which we denominated FoxBlade), and provided technical advice on steps to prevent the malware’s success.”
Smith said the company updated its Defender security platform with new signatures to block the malware within three hours of discovering the malicious payload deployed in the wild.
These recently spotted and still active cyberattacks “have been precisely targeted,” Smith also revealed.
This contrasts to the indiscriminate malware assaults that impacted Ukraine’s and other countries’ economies during the 2017 NotPetya worldwide attack linked to a Russian GRU Main Intelligence Directorate hacking group known as Sandworm.
Ukrainian networks attacked with destructive malware
The offensive cyberattacks detected by MSTIC researchers right before the Russian invasion followed several other series of malware attacks since the start of 2021.
Earlier this month, newly discovered HermeticWiper malware was used to target Ukraine together with ransomware decoys to wipe data and render devices unbootable.
In January, the country was struck by another series of malware attacks deploying the WhisperGate wiper disguised as a ransomware payload.
Over the weekend, CISA and the FBI warned US organizations that the data wiping attacks against Ukraine could spill over to other countries, urging US orgs to “increase vigilance” and reinforce their defenses.
The same day, Ukraine’s Vice Prime Minister Mykhailo Fedorov also revealed the creation of an “IT army” to help the country “fight on the cyber front.”
Right before the war started, the Ukrainian Security Service (SSU) reported that Ukraine was being targeted by a “massive wave of hybrid warfare.”
Update: Added HermeticWiper info and updated title.