Russia is readying another destructive cyber-assault on Ukraine, and could expand its targets to include organizations outside the country supplying Kyiv, according to Microsoft.
Microsoft Threat Intelligence revealed the news in a new report: A year of Russian hybrid warfare in Ukraine.
It said that Sandworm, a unit linked to Russian military intelligence agency GRU, is preparing to follow its Foxblade and Caddywiper efforts last year with new wiper malware.
“As of late 2022, the threat actor may also have been testing additional ransomware-style capabilities that could be used in destructive attacks on organizations outside Ukraine that serve key functions in Ukraine’s supply lines,” it added.
“The Prestige ransomware operation against a Polish firm in late 2022 provides a precedent for such attacks.”
In fact, both Prestige and a separate variant, “Sullivan,” have been linked to Sandworm. Attacks using these malware types may have been attempts to test the reaction of Ukraine’s allies to a targeted destructive attack outside Ukraine, Microsoft claimed.
In a similar way to NotPetya, ransomware is used as a cover for what is actually a destructive attack.
Microsoft said it had observed Russian threat activity against organizations in at least 17 European countries and some in the Americas between January and mid-February this year.
“While these actions are most likely intended to boost intelligence collection against organizations providing political and material support to Ukraine, they could also, if directed, inform destructive operations,” it argued.
At the same time, Russian operatives have been continuing to wage an information war against Ukraine and its allies. They have been stoking fears that Moldova could be next in line for invasion, with the government there even accusing Moscow of plotting to overthrow the current pro-EU administration.
A “hack-and-leak” operation targeting Moldovan politicians is also aimed at sowing distrust between Europeans and their governments, Microsoft warned.