Microsoft: Russian hackers may be readying new wave of destructive attacks

Russian hackers linked with destructive malware attacks may be preparing for a new wave of strikes, researchers with Microsoft’s Digital Threat Analysis Center said Wednesday.

The warning is included in a broad overview of the cyberattacks, influence operations and strategy employed by Russia-linked actors operating in Ukraine over the past year. It notes that although most of the Russian hacking efforts appear espionage related, hackers working for Russian military intelligence “have already shown a willingness to used destructive tools outside Ukraine if instructed” and that targets in Ukraine and around the world should take notice.

The report arrives against the backdrop of a failing Russian military offensive to gain territory, according to Western governments. Russian-aligned hacking efforts show signs of ongoing development and iteration aimed at both intelligence gathering and testing destructive malware attacks.

“It is not that we necessarily think that Russia will launch a stream of cyberattacks, however we are currently seeing patterns of targeted threat activity in Ukraine similar to the early days of the invasion,” Clint Watts, the general manager of Microsoft’s Digital Threat Analysis Center, told CyberScoop in a statement. “Russian state actors are working to gain accesses in Ukrainian and European networks and refining their malicious toolkits further suggesting preparations are underway for espionage or destruction.”

Along with destructive malware attacks, Wednesday’s report warns about threats to military and humanitarian supply chains — both in Ukraine and abroad — as well as information operations that are likely to include hack-and-leak operations, particularly in countries with upcoming elections, the outcome of which could change official policy toward the Russian assault on Ukraine, such as in Poland, Estonia and Finland.

Russia’s cyber operations against Ukraine have mostly entailed information operations and destructive wiper attacks, but more covert aspects of Russian operations makes it difficult to assess their full scope. On Tuesday, for example, Microsoft warned vendors about a since-fixed vulnerability in the Outlook email software that Russian hackers used to infiltrate more than a dozen European military, energy and transportation networks and spy unnoticed between April and December 2022, CNN and Bleeping Computer reported.

The threat intelligence company Mandiant attributed the attack on Outlook to APT 28, a Russian hacking group linked to Russia’s military intelligence service, and the company’s analysts believe that the vulnerability was used to target critical infrastructure inside of Ukraine and elsewhere.

“This will be a propagation event,” said John Hultquist, the head of intelligence analysis at Mandiant. “This is an excellent tool for nation-state actors and criminals alike who will be on a bonanza in the short term.”

“This is more evidence that aggressive, disruptive and destructive cyberattacks may not remain constrained to Ukraine and a reminder that we cannot see everything,” Hultquist said. “While preparation for attacks do not necessarily indicate they are imminent, the geopolitical situation should give us pause.”

Microsoft’s researchers see Russia’s more overt, noisy attacks as a way for the Kremlin to test Western resolve. In October, Russian-linked hackers struck the Polish transportation sector with a strain of pseudo ransomware known as “Prestige,” a move that tested “the international community’s ability to attribute espionage operations to Moscow or testing the reaction of Ukraine’s allies to a targeted destructive attack outside Ukraine,” according to Microsoft.

In November, the group behind the attacks — dubbed IRIDIUM by Microsoft but widely known as Sandworm — deployed a new ransomware variant dubbed RansomBoggs with technical similarities to the Industroyer2 malware, which the group has tried to deploy in targeting the Ukrainian energy sector during the war.

The rapid deployment of multiple variants reflects what Microsoft called the “iterative development and refinement for modular functionality and improved detection evasion.” Because Microsoft has only observed the malware on two targets in Ukraine, neither of which have political or military significance, Microsoft’s researchers argue that Russian actors may be preparing it for use outside of Ukraine.

Updated, March 15, 2023: This article has been updated with comment from Mandiant’s John Hultquist.