Ukrainian government agencies got hit by malware disguised as a ransomware.

[fUnDaMeNtAl_knobhead]

Summary

Apparently Microsoft has detected malware in Ukraine's government agencies targeting wide range of agencies.

 

Quotes

Quote

"Our investigation teams have identified the malware on dozens of impacted systems and that number could grow as our investigation continues, ...
These systems span multiple government, non-profit and information technology organizations, all based in Ukraine."

 

My thoughts

 I am a bit concerned about the ability that Microsoft has and I wonder how they got this data Windows Defender? Surely the Ukraine Government would have their own antivirus.

Sources

https://www.microsoft.com/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations/

 

https://www.cnet.com/tech/services-and-software/ukrainian-government-networks-infected-with-malware-microsoft-warns/

[RONOTHAN##]

15 minutes ago, linux fanboy said:

I am a bit concerned about the ability that Microsoft has and I wonder how they got this data Windows Defender?

Username checks out.

[adarw]

i feel like this is going to be political and locked.

[Arika]

58 minutes ago, linux fanboy said:

I am a bit concerned about the ability that Microsoft has and I wonder how they got this data Windows Defender?

why? Do you think Windows Defender and windows inbuilt security runs on magic?

 

 

If you're actually concerned about how they know about and detect threats, they publish everything publicly so you can read about it yourself:

 

here's 2021's report

https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RWMFIi?id=101738

 

6 monthly reports from 2005 - 2018

https://www.microsoft.com/en-us/security/business/security-intelligence-report

 

Basic rundown of their detection and response

https://www.microsoft.com/en-us/insidetrack/microsoft-uses-threat-intelligence-to-protect-detect-and-respond-to-threats

 

 

and with such a landscape over in Ukraine that there currently is, of course the have their eyes on it

 

[mr moose]

I heard this on the radio today,  they made it sound like MS software was responsible for it and made no mention that MS discovered it.   It's no wonder everyone hates everything.

 

 

[leadeater]

1 hour ago, linux fanboy said:

I am a bit concerned about the ability that Microsoft has and I wonder how they got this data Windows Defender? Surely the Ukraine Government would have their own antivirus.

Windows Defender with Advanced Threat Protection (ATP), a paid for extra, is probably the best option when accounting for all factors. They probably have ATP which is why Microsoft knows about this so accurately.

 

Also just for you, we install and run Microsoft Defender with ATP on our Linux servers.

[Sauron]

1 hour ago, linux fanboy said:

I am a bit concerned about the ability that Microsoft has and I wonder how they got this data

I would assume a national government using Windows would have a constant flux of Microsoft consultants checking their systems.

14 minutes ago, leadeater said:

Windows Defender with Advanced Threat Protection (ATP)

But also this ^

[Cuirl]

I thought we wanted stuff like Windows Defender to have active protection and not just check for already known signatures, that would be poor.

[NumLock21]

Ransomware locked all files and demands a payment to have the files unlocked. Malwares don't, so this malware is pretending to do something where it actually can't?

But both are technically classified as malwares.

 

[StDragon]

50 minutes ago, NumLock21 said:

Ransomware locked all files and demands a payment to have the files unlocked. Malwares don't, so this malware is pretending to do something where it actually can't?

But both are technically classified as malwares.

 

Nation-state malware is a whole other level of seriousness. They try and infect as many networks (and as much as possible) before being discovered. Stealth and covert. Then, they pull the trigger and either have their demands met, or go right for the jugular and take it all down before rolling tanks across the border.

[wseaton]

I'm just basking in the consolation that Ukrainian IT depts suck as bad as the ones in the states do.

 

They are probably wondering why their printers isolated on VLANs and unpatched VOIP systems haven't protected them.

 

 

[williamcll]

I wonder how many of these are done using log4j

[TVwazhere]

On 1/17/2022 at 2:12 AM, mr moose said:

I heard this on the radio today,  they made it sound like MS software was responsible for it and made no mention that MS discovered it.   It's no wonder everyone hates everything.

Good Morning America Yesterday did actually mention that MS was the ones to discover it, so it must just be how different media outlets present the info. 

[dilpickle]

On 1/16/2022 at 11:33 PM, linux fanboy said:

malware disguised as a ransomware.

What does that even mean? So it looks like ransom ware but it's not? How does that help the attacker?

[Shreyas1]

Ooof, that sucks, really bad timing for them.

[StDragon]

36 minutes ago, dilpickle said:

What does that even mean? So it looks like ransom ware but it's not? How does that help the attacker?

Because ransomware is serious enough to mask true nation-state motives. The former is a crime, the later would be an act of war.

[dilpickle]

1 hour ago, StDragon said:

Because ransomware is serious enough to mask true nation-state motives. The former is a crime, the later would be an act of war.

The way to mask yourself is to have no one know you were ever there. Any nation state could achieve this.

 

This reminds me of that stupid movie Executive Decision where their plan is to "sneak" a bomb into the US by drawing attention to themselves with a hijacking.

[mr moose]

4 hours ago, TVwazhere said:

Good Morning America Yesterday did actually mention that MS was the ones to discover it, so it must just be how different media outlets present the info. 

It's always how they want to present it.  I don't know a single media entity that doesn't skew the information so it fits an agenda.

[justpoet]

I'm not saying it was the case here, but a lot of governments and government entities run in the cloud on platforms such as azure, office365, etc...  There have been a number of these sorts of attacks discovered via the documents passing through those sorts of channels and services as well.

[leadeater]

3 hours ago, justpoet said:

I'm not saying it was the case here, but a lot of governments and government entities run in the cloud on platforms such as azure, office365, etc...  There have been a number of these sorts of attacks discovered via the documents passing through those sorts of channels and services as well.

On the Azure side, probably AWS, governments actually use dedicated Azure regions that run on their own pool of hardware and have different running versions of Azure itself. Early features or services that are added to Azure sometimes are not available in the Gov regions.

 

It's still shared but only with other allowed Gov entities for that region.

 

When I say regions I'm using the Azure Region terminology.

[justpoet]

2 minutes ago, leadeater said:

On the Azure side, probably AWS, governments actually use dedicated Azure regions that run on their own pool of hardware and have different running versions of Azure itself. Early features or services that are added to Azure sometimes are not available in the Gov regions.

 

It's still shared but only with other allowed Gov entities for that region.

 

When I say regions I'm using the Azure Region terminology.

True.  There is an extra price tier, for example, when requiring a US server set for law enforcement requirements and similar.  But that isn't dedicated hardware or pools...like I would expect a more central agency with deeper pockets to be doing.

[leadeater]

10 minutes ago, justpoet said:

True.  There is an extra price tier, for example, when requiring a US server set for law enforcement requirements and similar.  But that isn't dedicated hardware or pools...like I would expect a more central agency with deeper pockets to be doing.

 

Quote

Microsoft has made 'Azure Government Top Secret' generally available, and can now bid for US government contracts with top-secret data hosting requirements.

 

The company has long offered 'Government' and 'Government Secret' services, but now is after highly classified data workloads.

https://www.datacenterdynamics.com/en/news/microsoft-launches-azure-government-top-secret-for-us-national-security-contracts/

 

Also: https://arstechnica.com/tech-policy/2021/08/microsoft-protests-amazons-10-billion-nsa-cloud-computing-contract/

 

One of the reasons I personally think these "entities" are utilizing the public cloud, Azure/AWS, is that these facilities are central points of internet data flows so it makes logical sense to deploy their intelligence gathering systems in to these. But I try and limit the size of my tinfoil hats lol.

[williamcll]

9 minutes ago, leadeater said:

 

https://www.datacenterdynamics.com/en/news/microsoft-launches-azure-government-top-secret-for-us-national-security-contracts/

 

Also: https://arstechnica.com/tech-policy/2021/08/microsoft-protests-amazons-10-billion-nsa-cloud-computing-contract/

 

One of the reasons I personally think these "entities" are utilizing the public cloud, Azure/AWS, is that these facilities are central points of internet data flows so it makes logical sense to deploy their intelligence gathering systems in to these. But I try and limit the size of my tinfoil hats lol.

Under this logic the russians must be hacking the pentagon using Ukrainian computers.

 

actually possible buuuuutt.... 

[leadeater]

1 minute ago, williamcll said:

Under this logic the russians must be hacking the pentagon using Ukrainian computers.

What? I have no idea what your point is.

[justpoet]

14 minutes ago, leadeater said:

One of the reasons I personally think these "entities" are utilizing the public cloud, Azure/AWS, is that these facilities are central points of internet data flows so it makes logical sense to deploy their intelligence gathering systems in to these. But I try and limit the size of my tinfoil hats lol.

Don't worry, side channel attacks don't exist in the cloud.   </tinfoil>