Microsoft on Monday disclosed that it detected a new round of offensive and destructive cyberattacks directed against Ukraine’s digital infrastructure hours before Russia launched its first missile strikes last week.

Last Wednesday, a few hours before Russian tanks began rolling into Ukraine, alarms went off inside Microsoft’s Threat Intelligence Center, warning of a never-before-seen piece of “wiper” malware that appeared aimed at the country’s government ministries and financial institutions.

Additional technical specifics, including the mode of initial access, are not known, but Microsoft in a Security Intelligence advisory stated that “this trojan can use your PC for distributed denial-of-service (DDoS) attacks without your knowledge.”The intrusions involved the use of a never-before-seen malware package dubbed FoxBlade, according to the tech giant’s Threat Intelligence Center (MSTIC), noting that it added new signatures to its Defender anti-malware service to detect the exploit within three hours of the discovery.

“These recent and ongoing cyberattacks have been precisely targeted, and we have not seen the use of the indiscriminate malware technology that spread across Ukraine’s economy and beyond its borders in … prior attacks,” Microsoft’s President and Vice Chair, Brad Smith, said.

In recent months, there has been continuous media coverage of the geopolitical tensions in Eastern Europe around the threats of a Russian invasion of Ukraine. As one may expect, there has been an observable uptick in cyberattacks on related government networks and personnel. One notable case is the so-called “#WhisperGate” malware which is destructive to the systems which it infects.

Monday, Microsoft stated that it had detected a new round of offensive and destructive cyberattacks directed against Ukraine’s digital infrastructure hours before Russia launched its first missile strikes last week.

The intrusions involved the use of a never-before-seen malware package dubbed FoxBlade, according to the tech giant’s Threat Intelligence Center (MSTIC), noting that it added new signatures to its Defender anti-malware service to detect the exploit within three hours of the discovery.

Nevertheless, both Microsoft and Google have been unsuccessful in completely discovering and averting the attacks.”

These recent and ongoing cyberattacks have been precisely targeted, and we have not seen the use of the indiscriminate malware technology that spread across Ukraine’s economy and beyond its borders in the attack,” Microsoft’s President and Vice Chair, Brad Smith, said.

Additional technical specifics pertaining to FoxBlade, including the mode of initial access, are not known, but Microsoft in a Security Intelligence advisory stated that “this trojan can use your PC for distributed denial-of-service (DDoS) attacks without your knowledge.”

The disclosure comes as cyber assaults ranging from malicious data wipers to DDoS attacks have continued to rain down on Ukrainian government and banking websites, even as the U.S. Cybersecurity and Infrastructure Security Agency (CISA) warned of such attacks employed beyond the country’s borders.

“Destructive malware can present a direct threat to an organization’s daily operations, impacting the availability of critical assets and data,” CISA said. “Further disruptive cyberattacks against organizations in Ukraine are likely to occur and may unintentionally spill over to organizations in other countries.”

The Hackers Use Legitimate Legal Documents

Given access to a normally exchanged and legitimate document, an attacker can use the contents of the legal document.

Familiar Visuals Are Used That Can Fool Anyone

This malware can also be used to attach to legitimate (not faked) documents from banks, government entities including law enforcement.

As previously stated, in many cases the visual content of the documents constitutes a legitimate document that is leveraged by the threat actor. Note that I redacted this document to obscure the original content. Because it may contain classified or non-public content.

This document indicates this coming from the prosecutor’s office of the Luhansk region of eastern Ukraine. The content of the document looks legitimate though, which helps conceal a possible trace of the threat actor.

The next document is legitimate bank statement.

There is currently no way to stop the infiltration even after the fact deep analysis because it is heavily encrypted.
We can see from the detection results of the first-scan, that this malicious document lure was capable of bypassing most endpoint protection vendors.
Some samples of this campaign are quite secretive while successfully infecting their targets. This allows the threat actor to gain a strong foothold in the victim’s network without leaving a large footprint.

Rep. Adam B. Schiff, D-Calif., who chairs the House Intelligence Committee, noted that Putin’s decision-making so far has proved poor.

“There’s a risk that whatever Cyber tools Russia uses in Ukraine don’t stay in Ukraine,” he said last week. “We’ve seen this before, where malware directed to a certain target gets released in the wild and then takes on a life of its own. So, we could be the victim of Russian malware that has gone beyond its intended target.”