A series of website defacements in Ukraine this week were “cover for more destructive actions” according to a government official and a technical warning from Microsoft.
The high-profile but ultimately ineffective defacements – which came with a fake ransomware notices, according to Microsoft – were immediately reported, but behind the scenes malicious software was really being used to damage the computers it was installed on.
What happened?
Microsoft has warned that it has “identified evidence of a destructive malware operation targeting multiple organisations in Ukraine,” although it was unable to link the hackers behind it to any known groups.
The software company said it had identified the malware “on dozens of impacted systems” and added that “that number could grow as our investigation continues”.
“These systems span multiple government, non-profit, and information technology organisations, all based in Ukraine”, the company added.
However it is unclear whether the damage done was only to Windows-based systems or if other similar attacks were taking place at the same time.
Serhiy Demedyuk, the deputy secretary of Ukraine’s national security and defence council, told Reuters that the country believed the defacements were conducted by a group that has been linked to Belarus.
That group was recently linked to hacking and disinformation campaigns which targeted the Lukashenko regime’s critics, including dissidents and foreign governments.
Some experts have expressed concern that if Belarus was involved in supporting Russian operations targeting Ukraine then it could potentially expose the country to additional fighting on its Western flank.
Mr Demedyuk dismissed the fake ransomware note’s threat to people in Ukraine but warned the country would feel the consequences of the destructive attack “in the near future”.
The EU’s foreign policy chief Josep Borrell condemned the attack, saying he “has no evidence who was responsible”, but “we can imagine who is behind it”.
An emergency EU meeting has been called to respond, he added.
On some of the websites, a text in three languages – Ukrainian, Polish (which Mr Demedyuk said appeared machine-translated) and Russian – said all data of Ukrainians uploaded to the network had become public.
“Ukrainian! All your personal data was uploaded to the public network. All data on the computer is destroyed, it is impossible to restore it,” the message reads.
“All information about you has become public, be afraid and expect the worst. This is for your past, present and future.”