The hackers who breached Ukrainian government systems and installed a wiper on some of them were in the systems months before dropping their malicious code onto the networks, according to researchers with Cisco’s Talos Intelligence Group.
The researchers found indicators of compromise — artifacts that tell investigators when and how attackers breached a system — which revealed that they were in the networks late last summer. But the intruders waited until months later to deposit a wiper on those same systems, which Microsoft discovered on the systems last week.
Matthew Olney, director of threat intelligence and interdiction at Cisco, didn’t say when the wiper was deposited on systems. But the wiper’s components were only compiled a few days before they were discovered on systems last week. The compilation date is visible in the code. Compilation is when the source code that a programmer writes is turned into binary code that a machine can read.
It wiped seven workstations at one government agency in Ukraine and a combination of workstations and servers at another agency. The web sites of the same two agencies were also defaced in operations that investigators now believe were coordinated.