Russian ‘WhisperGate’ hackers are using new data-stealing malware to target Ukraine

Security researchers say they have recently observed a Russian hacking crew who were behind the destructive WhisperGate malware cyberattacks, targeting Ukrainian entities with a new information-stealing malware.

Symantec’s Threat Hunter Team has attributed this campaign to a Russia-linked cyber threat actor, widely known as TA471 (or UAC-0056), which has been active since early 2021. The group is known to support Russian government interests, and while it primarily targets Ukraine, the group has also been active against NATO member states in North America and Europe. TA471 has been linked to WhisperGate, a destructive data-wiping malware that was used in multiple cyberattacks against Ukrainian targets in January 2022. The malware masquerades as ransomware, but renders targeted devices completely inoperable and unable to recover files even if a ransom demand is paid.

According to Symantec, the hacking crew’s latest campaign relies on previously unseen information-stealing malware it calls “Graphiron” for targeting Ukrainian organizations. The malware was used to steal data from infected machines from October 2022 until at least mid-January 2023, according to the researchers, who add that it’s “reasonable to assume that it remains part of the [hackers’] toolkit.”

The info-stealing malware uses file names designed to masquerade as legitimate Microsoft Office files and is similar to other TA471 tools, such as GraphSteel and GrimPlant, which were previously used as part of a spear-phishing campaign specifically targeting Ukrainian state bodies. But Symantec says that Graphiron is designed to exfiltrate far more data, including screenshots and private SSH keys.

“That information could be useful in itself from an intelligence perspective, or it could be used to penetrate deeper into the targeted organization or to launch destructive attacks,” Dick O’Brien, principal intelligence analyst Symantec Threat Hunter Team, told TechCrunch.

O’Brien said that while little is known about the hacking crew’s origin or strategy, TA471 has become one of the key players in Russia’s ongoing cyber campaigns against Ukraine.

News of TA471’s latest espionage campaign comes days after the Ukrainian government sounded the alarm on another Russian state-sponsored hacking group, dubbed UAC-0010, which continues to conduct frequent cyberattack campaigns against Ukrainian organizations.

“Despite using mainly repeated sets of techniques and procedures, adversaries slowly but insistently evolve in their tactics and redevelop used malware variants to stay undetected,” said Ukraine’s State Cyber Protection Centre. “Therefore, it remains one of the key cyber threats facing organizations in our country.”