OODA Loop

Understand tomorrow, today.

What’s Really Behind WhisperGate Attacks Against Ukraine?

Archive, Disruptive Technology, OODA Original / by

[NOTE:  As an introduction to WhisperGate, see CISA Insights Bulletin Urges U.S. Preparation for Data Wiping Attacks. And for tips on what to do to rapidly improve your own cybersecurity posture to prepare for the coming attacks see: C-Suite Guide: Improving Cybersecurity Posture Before Russia Invades Ukraine]

Recently, Ukraine suffered two sets of cyber-attacks in response to the geopolitical situation with Russia. The first round was a series of nuisance web page defacements that targeted more than 70 Ukrainian government websites. The second round of attacks executed WhisperGate, a destructive wiper malware disguised as ransomware, that impacted dozens of Ukrainian entities associated with government, non-profit, and technology companies.  Surely, more victims will follow.  Despite having the appearance of a ransomware attack (complete with ransom note) it did not have a ransom recovery method, a critical part of any ransomware operation. This leads to the conclusion that the primary intention appears to be to render systems inoperable, not collecting financial compensation.

While many first believed Russia to be behind or directing the cyber-attack, Ukrainian authorities stated their belief that a group linked to Belarussian intelligence (using Russian-linked malware) was responsible for the WhisperGate attacks. Though Moscow has denied any association with the attacks, there is some evidence suggesting a malware link. In 2017, Russian military intelligence executed the NotPetya malware attack that initially targeted Ukrainian targets before escaping into the wild. Financial institutions, energy companies, government ministries, the Kyiv international airport, metro systems, and other state-owned enterprises were affected in Ukraine.

Analysis of the NotPetya malware revealed that it did not provide an authentic decryption-for-payment opportunity for victims, meaning the attackers didn’t really care about getting paid for their efforts. This would be anathema for a true ransomware group, especially given the magnitude of the global spread of NotPetya, costing the world approximately USD 10 billion in remediation.  Even a small percentage of victims paying the ransom would have been a substantial windfall.

So, it’s not a far-fetched assumption to think that Russia either provided Belarus the malware, worked with them to create it, or even helped them execute the attack. Belarus and Russia maintain close relations, part of which stems from Belarus’ growing reliance on Russia. Despite being security partners, the two maintain a favorable intelligence-sharing relationship (with their intelligence agencies liaising on a permanent basis).  Belarus has been linked to the July 2020 state-sponsored disinformation campaign dubbed “Ghostwriter.” The cybersecurity company that identified the activity reported that Ghostwriter targeted audiences in Lithuania, Latvia, and Poland, using compromised websites, spoofed emails, and NATO-related themes to attract readers. Between October 2020 and January 2021, the group increased its disinformation work, initiating at least five campaigns conducted in Polish and English.

Given the fact that previous activity by Ghostwriter focused mostly on disinformation campaigns, it begs the question:  Why the sudden escalation to conducting destructive attacks against Ukrainian targets?  There has also been sparse evidence indicating that Belarus intelligence has executed cyber espionage or other disruptions in the past.  Does Belarus intelligence have the capability to build such malware on its own? Or does the country need the assistance of a more experienced partner to do so? While more evidence needs to be analyzed before making a more confident analytic judgment, it certainly appears that Belarus is likely receiving help from Moscow, or at least is being used by Moscow as a nearby proxy. If this is true it is a peculiar choice, as Belarus is easily perceived as a willing partner to Moscow’s activities. A more obfuscated proxy would have been more beneficial if Moscow truly wanted to distance itself from the activity. Moscow can deny involvement at face value, but most would agree that Belarus’s lack of history targeting Ukraine with cyberattacks is suspect and very easily points to Russia.

Which goes back to why Russia would care to put forth a half-heartened attempt at introducing this Belarussian narrative. After all, the striking similarities between WhisperGate and NotPetya, the geopolitical importance surrounding the attack, and the fact that Ukraine has been targeted first with the malware all immediately point to Russia’s involvement.  In the end, this narrative may be Putin’s intention.  Russian nationalistic hackers have been typically used in prior incidents of geopolitical tension (such as 2007 Estonia in 2007 and hostilities in Georgia in 2008.

Russia leveraging Belarussian intelligence indicates a potential evolution of how Moscow executes its information attacks in a geopolitical context.  It also shows the seriousness with which Moscow is approaching the Ukraine situation. It may no longer be content with using the same playbook.  Whereas Russia has employed non-state proxies for many previous attacks )which may have taken guidance from Russia but operated tactically as they saw fit), by using state actors – especially those enjoying close relations with Russian counterparts – Moscow is communicating that it is ready to take it up a notch. Ostensibly, not only are Russian state cyber assets prepared to engage in destructive cyberattacks against Ukraine, so are at least the state assets of another bordering country. Viewed from this perspective, it is easy to see right through the thinly veiled threat emanating from Belarus.

Should tensions escalate to a Crimean-like invasion, cyber-attacks against telecommunications and critical infrastructure would provide an apt warning. This is not lost on the global intelligence community that has tracked ongoing Russian-backed cyber-attacks against Ukraine since 2014 and fully expects the same to occur during this emerging conflict.  The only difference is that, in addition to its own state-capable cyber assets, Moscow enjoys collaboration with a prolific non-state cyber army. In this conflict, they would clearly be adding at least one other nation-state intelligence apparatus by way of Minsk. In this regard, Moscow has upped its geopolitical and cyber moves relative to previous excursions. Now it’s looking to see if and how Ukraine responds and, with a divided NATO in the background, what other governments will step up to back Ukrainian’s next move.

Related Reading:

Black Swans and Gray Rhinos

Now more than ever, organizations need to apply rigorous thought to business risks and opportunities. In doing so it is useful to understand the concepts embodied in the terms Black Swan and Gray Rhino. See: Potential Future Opportunities, Risks and Mitigation Strategies in the Age of Continuous Crisis

Explore OODA Research and Analysis

Use OODA Loop to improve your decision making in any competitive endeavor. Explore OODA Loop

Decision Intelligence

The greatest determinant of your success will be the quality of your decisions. We examine frameworks for understanding and reducing risk while enabling opportunities. Topics include Black Swans, Gray Rhinos, Foresight, Strategy, Stratigames, Business Intelligence and Intelligent Enterprises. Leadership in the modern age is also a key topic in this domain. Explore Decision Intelligence

Disruptive/Exponential Technology

We track the rapidly changing world of technology with a focus on what leaders need to know to improve decision-making. The future of tech is being created now and we provide insights that enable optimized action based on the future of tech. We provide deep insights into Artificial Intelligence, Machine Learning, Cloud Computing, Quantum Computing, Security Technology, Space Technology. Explore Disruptive/Exponential Tech

Security and Resiliency

Security and resiliency topics include geopolitical and cyber risk, cyber conflict, cyber diplomacy, cybersecurity, nation state conflict, non-nation state conflict, global health, international crime, supply chain and terrorism. Explore Security and Resiliency

Community

The OODA community includes a broad group of decision-makers, analysts, entrepreneurs, government leaders and tech creators. Interact with and learn from your peers via online monthly meetings, OODA Salons, the OODAcast, in-person conferences and an online forum. For the most sensitive discussions interact with executive leaders via a closed Wickr channel. The community also has access to a member only video library. Explore The OODA Community

 

About Emilio Iasiello

Emilio Iasiello has nearly 20 years’ experience as a strategic cyber intelligence analyst, supporting US government civilian and military intelligence organizations, as well as the private sector. He has delivered cyber threat presentations to domestic and international audiences and has published extensively in such peer-reviewed journals as Parameters, Journal of Strategic Security, the Georgetown Journal of International Affairs, and the Cyber Defense Review, among others. All comments and opinions expressed are solely his own.