WhisperGate wiper attack
On the eve of Russia's invasion, a destructive wiper disguised as ransomware corrupted master boot records and files across dozens of Ukrainian government, IT and non-profit organisations, defacing official websites and signalling the cyber dimension of the coming war.
- Victim
- Ukrainian government, IT and non-profit organisations
On 13 January 2022, six weeks before Russia's full-scale invasion, a destructive malware called WhisperGate struck dozens of Ukrainian government, IT and non-profit organisations. Disguised as ransomware but built only to destroy, it became one of the opening cyber salvos of the war.
What happened
WhisperGate was a multi-stage master-boot-record (MBR) wiper. The first stage overwrote the MBR of infected machines with a fake ransom note demanding $10,000 in Bitcoin β but the malware had no recovery mechanism, making the "ransom" a deception. Later stages, staged from a Discord CDN link, downloaded a file-corrupter that searched for 191 file extensions and overwrote their contents with fixed data, rendering documents and systems unrecoverable.
In parallel, attackers defaced around 70 Ukrainian government websites, including those of the Cabinet of Ministers, the Ministry of Foreign Affairs, the State Treasury and the Diia e-government portal, posting threatening messages telling Ukrainians to "be afraid and expect the worst."
Impact
- Dozens of Ukrainian organisations across government, IT and non-profit sectors had systems wiped or corrupted.
- Around 70 government websites were defaced or knocked offline in the coordinated operation.
- Because WhisperGate masqueraded as ransomware, initial triage risked misclassifying it; in reality recovery required full rebuilds from backup, not decryption.
Attribution
Microsoft initially tracked the operation as DEV-0586, later named Cadet Blizzard. In June 2023, the U.S. Department of Justice indicted Russian GRU officers (linked to Unit 29155) and civilian co-conspirators for the WhisperGate campaign, formally attributing it to Russian military intelligence. The operation was distinct from β though contemporaneous with β Sandworm's activity, reflecting multiple GRU units operating against Ukraine.
Why it matters
WhisperGate established the wiper-masquerading-as-ransomware playbook that would recur throughout the 2022 invasion, including the HermeticWiper and IsaacWiper strikes days before tanks crossed the border. It demonstrated that fake-ransomware framing could sow confusion and delay attribution while inflicting pure destruction. As an early warning of state-grade destructive malware, it prompted CISA's "Shields Up" guidance and a global re-examination of wiper resilience, backup integrity and incident-response assumptions for organisations far beyond Ukraine.
Timeline
Microsoft first observes the WhisperGate wiper deployed against Ukrainian organisations.
Around 70 Ukrainian government websites, including the Cabinet of Ministers, Foreign Ministry and Diia portal, are defaced or taken offline.
Microsoft publicly discloses the destructive malware, tracking the actor as DEV-0586.
Russia launches its full-scale invasion of Ukraine; WhisperGate is retrospectively seen as a precursor strike.
The U.S. Department of Justice indicts GRU officers and links WhisperGate to GRU Unit 29155.
Sources
- recordedfuture.comhttps://www.recordedfuture.com/research/whispergate-malware-corrupts-computers-ukraine
- securityweek.comhttps://www.securityweek.com/microsoft-uncovers-destructive-malware-used-ukraine-cyberattacks/
- helpnetsecurity.comhttps://www.helpnetsecurity.com/2022/01/17/ukraine-wiper-malware/
- cfr.orghttps://www.cfr.org/cyber-operations/targeting-of-ukrainian-government-and-information-technology-it-sector-systems-with-whispergate-malware