Microsoft said late Saturday that it had identified dozens of computer networks at Ukrainian government agencies and organizations infected with destructive malware disguised as ransomware.
The malware targets multiple organizations in Ukraine, including government agencies that provide critical executive branch or emergency response functions, and is designed to make computers inoperable if activated by an attacker, Microsoft said.
"Our investigation teams have identified the malware on dozens of impacted systems and that number could grow as our investigation continues," Microsoft said in a blog post Saturday. "These systems span multiple government, non-profit and information technology organizations, all based in Ukraine."
The operation was detected on Thursday, Microsoft said, coinciding with a massive cyberattack that simultaneously defaced dozens of Ukrainian government sites with a message warning Ukrainians to "be afraid and expect the worst."
Microsoft's announcement comes amid rising tensions with Russia after Moscow amassed about 100,000 troops near its border with Ukraine, prompting fears of an attack.
A Ukrainian security official told Reuters on Saturday that the government believes hacker groups linked to Russia's intelligence services carried out the cyberattack on government websites. Moscow has repeatedly denied involvement in cyberattacks against Ukraine.
In 2017, the Russian military was blamed for the massive NotPetya ransomware attack, which targeted government, financial and energy institutions in Ukraine and caused more than $10 billion in damages worldwide. The US said the attack, which it called "most destructive and costly cyber-attack in history," was part of the Kremlin's efforts to destabilize Ukraine.
The malware "executes when an associated device is powered down," Microsoft said, a typical initial response to a ransomware infection to prevent it from spreading further. Microsoft said it was unable to assess the intent of the destructive activity or identify unique characteristics that link it to known threat actors.