WASHINGTON — Microsoft warned on Saturday evening that it had detected a highly destructive form of malware in dozens of government and private computer networks in Ukraine that appeared to be waiting to be triggered by an unknown actor.
In a blog post, the company said that on Thursday — around the same time that government agencies in Ukraine found their websites had been defaced — investigators who watch over Microsoft’s global networks detected the code. “These systems span multiple government, nonprofit and information technology organizations, all based in Ukraine,” Microsoft said.
The code appears to have been deployed around the time that Russian diplomats, after three days of meetings with the United States and NATO over the massing of Russian troops at the Ukrainian border, declared that the talks had essentially hit a dead end.
Ukrainian officials blamed the defacement of their government websites on a group in Belarus, though they said they suspected Russian involvement. But early attribution of attacks is frequently wrong, and it was unclear if the defacement was related to the far more destructive code that Microsoft said it had detected.
Microsoft said that it could not yet identify the group behind the intrusion, but that it did not appear to be an attacker that its investigators had seen before.
The code, as described by the company’s investigators, is meant to look like ransomware — it freezes up all computer functions and data, and demands a payment in return. But there is no infrastructure to accept money, leading investigators to conclude that the goal is to inflict maximum damage, not raise cash.
It is possible that the destructive software has not spread too widely and that Microsoft’s disclosure will make it harder for the attack to metastasize. But it is also possible that the attackers will now launch the malware and try to destroy as many computers and networks as possible.
Warnings like the one from Microsoft can help abort an attack before it happens, if computer users look to root out the malware before it is activated. But it can also be risky. Exposure changes the calculus for the perpetrator, who, once discovered, may have nothing to lose in launching the attack, to see what destruction it wreaks.
For President Vladimir V. Putin of Russia, Ukraine has often been a testing range for cyberweapons.
An attack on Ukraine’s Central Election Commission during a presidential election in 2014, in which Russia sought unsuccessfully to change the result, proved to be a model for the Russian intelligence agencies; the United States later found that they had infiltrated the servers of the Democratic National Committee in the United States. In 2015, the first of two major attacks on Ukraine’s electric grid shut off the lights for hours in different parts of the country, including in Kyiv, the capital.
And in 2017, businesses and government agencies in Ukraine were hit with destructive software called NotPetya, which exploited holes in a type of tax preparation software that was widely used in the country. The attack shut down swaths of the economy and hit FedEx and the shipping company Maersk as well; American intelligence officials later traced it to Russian actors. That software, at least in its overall design, bears some resemblance to what Microsoft warned of on Saturday.
The new attack would wipe hard drives clean and destroy files. Some defense experts have said such an attack could be a prelude to a ground invasion by Russia. Others think it could substitute for an invasion, if the attackers believed a cyberstrike would not prompt the kind of major sanctions that President Biden has vowed to impose in response.
