Microsoft Corp. today detailed a new form of malware that was used against targets in Ukraine in the hours before the start of the Russian invasion.

Dubbed “FoxBlade” by researchers at the Microsoft Threat Intelligence Center, the malware is described in a Feb. 23 notice as a Trojan that can use computers for distributed denial-of-service attacks without the owners’ knowledge.

In a blog post today, Microsoft President and Vice Chair Brad Smith said that the malware is being used for offensive and destructive cyberattacks against Ukraine’s digital infrastructure.

“These recent and ongoing cyberattacks have been precisely targeted and we have not seen the use of the indiscriminate malware technology that spread across Ukraine’s economy and beyond its borders in the 2017 NotPetya attack,” Smith wrote. “But we remain especially concerned about recent cyberattacks on Ukrainian civilian digital targets, including the financial sector, agriculture sector, emergency response services, humanitarian aid efforts and energy sector organizations and enterprises.”

The FoxBlade attacks were not the only cyber surprise to emerge from Russia. A joint cyber alert from the U.S. Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency has warned of two other new forms of malware being used against organizations in Ukraine.

The first, Whispergate, was also discovered by researchers at Microsoft and is intended to be destructive, rendering targeted devices inoperable. The second, HermeticWiper, was discovered by researchers at SentinelOne Inc. and targets Windows devices. The malware manipulates the master boot record, resulting in a boot failure.

“It makes sense that Microsoft would observe an increase of cyberattacks targeting Ukraine in these last few days,” Hank Schless, senior manager of security solutions at the security company Lookout Inc., told SiliconANGLE. “Even before the Russians invaded, there were a couple of attacks that seemed like tests before more advanced ones were launched. While there’s very little that’s been shared about FoxBlade, it sounds like Microsoft is suggesting that the actors behind its development created it for the purpose of targeting critical infrastructure in Ukraine.”

Schless added that there have also been reports of phishing campaigns targeting Ukrainians on social media platforms. “When there’s a level of uncertainty about something going on in the world, phishing can be one of the most effective tactics for attackers to use,” Schless explained. “Threat actors leverage our innate need for information against us by executing phishing campaigns across SMS, email, third party message platforms, and social media apps in particular.”

Nathan Einwechter, director of security research at cybersecurity company Vectra AI Inc., emphasized that FoxBlade is a malicious Trojan installed on systems to enable DDoS attacks.

“This means that the malware isn’t deployed within the target environments, but instead installed on as many targets of opportunities as possible,” Einwechter said. “Once enough systems are under their control, the infected machines can be collectively controlled to knock the actual target, in other words Ukrainian critical infrastructure, off the internet by flooding their public network connections with more traffic than they can handle.”

That’s an important distinction, he added, since it means that any individual or company may be a target of infection by FoxBlade and, consequently, used unwittingly to degrade internet access within Ukraine or other targets of Russian interest.

Photo: Max Pixel