A Russia-linked malware campaign attributed to nation-state threat actor Iridium (aka Sandworm) could hit Ukrainian government facilities soon with a series of cyber strikes, Microsoft said in a new threat intelligence report.
Iridium, which is believed to be associated with Russia’s military intelligence agency (GRU), is readying the operation in the same manner as it did with the Foxblade and Caddywiper malware deployments in the early days of the war, Microsoft said.
Attacks could spread beyond Ukraine’s borders to disrupt the country’s supply chain.
“As of late 2022, the threat actor may also have been testing additional ransomware-style capabilities that could be used in destructive attacks on organizations outside Ukraine that serve key functions in Ukraine’s supply lines,” Microsoft wrote in the report.
What Microsoft Found
Microsoft investigations have also revealed:
- Cyber threat actors with known or suspected ties to the GRU, Russian Foreign Intelligence (SVR), and Russian Federal Security (FSB) services have tried to break into to government and defense-related organizations in Central and Eastern Europe and the Americas.
- Late last year, the threat actor may also have been testing ransomware that could be used to attack organizations outside Ukraine to disrupt its supply chain.
- Early this year, Microsoft “found indications” that Russia-back malware campaigns have been launched against organizations in more than 17 European countries, particularly at government facilities.
“While these actions are most likely intended to boost intelligence collection against organizations providing political and material support to Ukraine, they could also, if directed, inform destructive operations,” Microsoft said.
The additional worry, of course, is if Russia continues to lose battles on the ground and in the air, Russian threat actors may expand their malware operations to hit military and humanitarian supply chains by pursuing destructive attacks beyond Ukraine and Poland.
“These possible cyberattacks, should the last year’s pattern continue, may incorporate newer destructive malware variants as well,” Microsoft wrote.
Cyberwar Enters Second Year
Looking ahead to the second year of the war, Microsoft warned that because recent Kremlin-sponsored cyberattacks have not “been any more successful than any of their previous campaigns in the past year,” it might lead to “Russian escalation in the digital space.”
In an earlier report distributed a year ago, Microsoft said:
- Russia launched nearly 40 cyberattacks targeting hundreds of systems.
- 32% of destructive attacks directly targeted Ukrainian government organizations at the national, regional and city levels.
- More than 40% of destructive attacks “were aimed at organizations in critical infrastructure sectors that could have negative second-order effects on the Ukrainian government, military, economy and civilians.”
- Microsoft’s report attributed wiper malware attacks to Iridium.
Suggestions for managed security service providers and managed service providers:
- Continue to monitor CISA (Cybersecurity and Infrastructure Security Agency) alerts and updates, particularly as they pertain to infrastructure security worldwide.
- Check MSSP Alert’s Russia-Ukraine war timeline, which is updated regularly with cyberattack and cyber defense information tied to the conflict.