Researchers find similarities between NotPetya, attacks on Ukrainian government systems

The NotPetya attacks crippled businesses around the world and led to an estimated $10 billion in costs.
The golden domes of St. Sophia's Cathedral in Kiev, Ukraine. (Photo by Sean Gallup/Getty Images)

The malware that wiped dozens of government computer systems in Ukraine starting on Jan. 13 shares some strategic similarities to to the NotPetya wiper that was used to attack Ukraine in 2017 and ended up causing nearly $10 billion in damages worldwide, researchers said Friday.

The analysis, from Cisco’s Talos threat intelligence division, says that the NotPetya episode should serve as warning that any organization with connections to Ukraine should “carefully consider how to isolate and monitor those connections to protect themselves from potential collateral damage.”

The warning comes as the military buildup along the Ukraine border with Russia continues and worries that Russia is planning to invade its neighbor, a claim the Russian government denies. On Jan. 14 roughly 80 Ukrainian government agencies’ websites were defaced, garnering headlines around the world. Although that attack was relatively simple and the sites were restored in short order, malware known as WhisperGate wiped seven workstations at one computer agency and a combination of workstations and servers at a second agency, a Ukrainian government official told cybersecurity journalist Kim Zetter.

Those attacks included a demand for $10,000 in Bitcoin, but the ransom demands were a ruse to obfuscate the destructive intent of the malware. The Talos researchers wrote Friday that WhisperGate was similar in that it, too, masqueraded as ransomware while targeting and destroying the master boot record (MBR) instead of encrypting it. But a key difference is that WhisperGate has “more components designed to inflict additional damage.”


The attackers behind WhisperGate used stolen credentials to gain initial access to systems, the researchers assessed, and likely had access to the victim network for months before the attack, “a typical characteristic of sophisticated advanced persistent threat (APT) operations.” Talos reported Thursday that the attackers had access to the target systems as far back as late in the summer of 2021.

WhisperGate has yet to be formally attributed, but authorities in Ukraine have pointed the finger at hackers associated with Belarus and Russia.

The researchers noted Friday that the defacement of 80 government sites and even the wiper attacks aren’t, on their own, alarming considering that Ukraine has been considered a “test lab” for Russian cyberattacks and tooling for years. “In fact, if it weren’t for the obvious increase in geopolitical tensions in the region, we would simply consider it winter in Ukraine,” the researchers wrote, adding that they’ve “seen this kind of activity on and off for years” and “see no reason to panic because of these events.”

Nevertheless, the researchers urge network defenders to heed the warnings from the Jan. 18 Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency advisory to take steps to reduce the likelihood of attacks on their systems causing serious damage. U.K.’s National Cyber Security Centre and the Canadian Centre for Cyber Security issued similar warnings in recent days.

The damage wrought by NotPetya is instructive now, the researchers say.


“In that case, an attack that was intended to punish Ukraine had a wide-ranging global impact,” they wrote. “Any organization that has any sort of business connection to Ukraine could be affected.”

Latest Podcasts