The Attribution Story of WhisperGate: An Academic Perspective

I'm excited to share that Anders Carlsson and I will be presenting our talk, "The Attribution Story of WhisperGate: An Academic Perspective," at the VB2025 conference in Berlin, 24–26 September 2025. 🤓 

In this talk, we'll explore how AI/GenAI can assist in tackling the complex challenge of cyberattack attribution, using the WhisperGate incident as a case study.

WhisperGate is a destructive malware campaign executed on 13 January 2022 against the government infrastructure of Ukraine. It was attributed to the Russian state-sponsored threat actor linked explicitly to the Ember Bear group by CrowdStrike on 30 March 2022 [1] and to Cadet Blizzard by Microsoft in April 2022 [2]. It was associated with Russia's Main Intelligence Directorate of the General Staff (GRU). These APT group(s) have never been seen before, and it was unclear which GRU unit this campaign was associated with. ESET, in its turn, attributed the majority of wiper attacks against Ukraine in 2022 to Sandworm, another GRU-associated APT group (Unit 74455) [3], "with varying degrees of confidence" [4].

Only two years later, in September 2024, Maryland's Grand Jury unsealed a superseding indictment [5] against five members of GRU's Unit 29155 (a.k.a. Ember Bear) and one previously charged, in June 2024, Russian civilian Amin Stigal [6] for a cyber operation called WhisperGate [7] against the Ukrainian Government services and its allies in the US and Europe – at least 26 NATO countries. It was the first time GRU's Unit 29155 was mentioned as a cyber actor.

According to Bellingcat [8], this unit is famous for its assassination and sabotage operations abroad rather than cyberattacks, such as the Salisbury Poisonings – a failed assassination attempt on Sergei Skripal, a former Russian military officer and double agent for British intelligence, using a nerve agent. The attack, which also poisoned his daughter Yulia, took place in Salisbury, England, on 4 March 2018. [9]

Now that WhisperGate's attribution is well-established, we can retrospectively apply and compare different attribution approaches – manual analysis, traditional supervised machine learning classification, and LLM-powered attribution – to evaluate their effectiveness and determine which categories of Indicators of Compromise (IoCs) have the most significant impact on correct attribution decisions.

References

[1] https://www.crowdstrike.com/blog/who-is-ember-bear/

[2] https://www.microsoft.com/en-us/security/blog/2023/06/14/cadet-blizzard-emerges-as-a-novel-and-distinct-russian-threat-actor/

[3] https://attack.mitre.org/groups/G0034/

[4] https://www.welivesecurity.com/2023/02/24/year-wiper-attacks-ukraine/

[5] https://www.justice.gov/opa/pr/five-russian-gru-officers-and-one-civilian-charged-conspiring-hack-ukrainian-government

[6] https://thehackernews.com/2024/06/russian-national-indicted-for-cyber.html

[7] https://www.nioguard.com/2022/01/analysis-of-whispergate.html

[8] https://www.bellingcat.com/news/uk-and-europe/2021/04/26/how-gru-sabotage-and-assassination-operations-in-czechia-and-bulgaria-sought-to-undermine-ukraine/

[9] https://en.wikipedia.org/wiki/Poisoning_of_Sergei_and_Yulia_Skripal

Analysis of WhisperGate

 

Summary of the attack

• Name: WhisperGate

• Discovered in January 2022

• Used in a targeted attack against the Ukrainian government websites on the 14th of January, 2022

• Overwrites the contents of files with the fixed number of bytes

• Rewrites MBR, corrupts victims’ files, downloads and drops its own files

• Corrupted files have a random 4-byte extension

• Comes with 2 stages, PE64 written in C++ and .NET application with fake digital signatures

• The third stage is .NET DLL, which is downloaded at runtime

                                                                                                by Denis Popov and Alexander Adamov

Chthonic Trojan is back in nation-state cyberattack against Ukraine

Recently, we discovered a nation-state cyber attack against one government institution in Ukraine. 

The attackers sent a spear phishing email that contained the archived JavaScript used to download and execute the Chthonic backdoor that belongs to the Zeus family.

Targeted attack against the Ukrainian military

One more targeted attack against Ukraine that used spear phishing to deliver the DarkTrack backdoor through a fake prescription of the Minister of Defense of Ukraine. The target is CERT in the military domain.

Targeted Attack on the National Police of Ukraine

According to the .eml file that was uploaded today to VirusTotal, unknowns tried to run a targeted attack on the National Police of Ukraine.

The email (MD5: bec01fe3b14b3da507a6a4c5c698e8ed) was sent to admin@police.gov.ua with the fake login page attached as an html file (MD5: 5dca48afe347db9e9f9cab9c824c122d) a week ago.

List of Services

We are a security research team of skilled malware analysts with 10+ years' experience in the antivirus industry located in Ukraine.

We deliver:

• Threat intelligence data (Yara rules, Network IoCs, IDS/IPS rules, C&C links, others)
• Malware analysis reports
• Machine learning algorithms to detect 0-day threats

We provide the security services and solutions:

• Malware analysis 24/7 including APT and ransomware
• Security testing of security products

We teach:

• Advanced Malware Analysis course (the university course 7.5 ETCS within the EU master program in cybersecurity)
• Reverse engineering (x86, ARM)
• Threat hunting
• Threat modeling
• Cloud security
• Incident response
• Machine learning in cybersecurity

We collaborate with:

• ENGENSEC.EU
• Ukrainian Cyber Police

We spoke at:

• Virus Bulletin 2015 in Prague, Android ransomware: turning CryptoLocker into CryptoUnlocker
• OpenStack Summit 2015 in Vancouver, Detecting targeted attacks in the cloud
• OpenStack Summit 2016 in Austin, TX, Using Open Source Security Architecture to Defend against Targeted Attacks (video)
• OpenStack Summit 2016 in Barcelona, Digital Forensics vs. OpenStack (video)
• Virus Bulletin 2017 in Madrid, Battlefield Ukraine: finding patterns behind summer cyber attacks (video)

We were acknowledged by:

• Microsoft for the analysis of:
• MS10-061 Print Spooler Service (Stuxnet 0-day) Vulnerability  (CVE-2010-2729)
• MS10-073 Win32k Keyboard Layout Vulnerability (CVE-2010-2743)
• MS10-092 Task Scheduler Vulnerability (CVE-2010-3338)

Publications:

1. A security model of individual cyberspace / А. Adamov, V. Hahanov // Proc. of IEEE EWDTS, September 19–20, 2011. – Sevastopol, 2011. – P. 169–172.
2. Analysis and Detection of Polymorphic Spyware / Adamov A, Saprykin A // Hakin9 Magazine, Vol.8 № 01, Issue 01/2013 (61), ISSN: 1733-7186 –  P. 6-11.
3. Discovering New Indicators for Botnet Traffic Detection / A. Adamov, V. Hahanov, A. Carlsson // Proc. of IEEE EWDTS, September 26–29, 2014, Kiev, Ukraine. – Kiev, 2014. – P. 281–285.
4. Method of attribute-based URL recognition using frequency patterns / A.S. Adamov, V.I. Hahanov // Bulletin of the State Engineering University of Armenia, Yerevan, 2014, Issue 17, No. 2, C. 59-66 (UDC 681.326: 519.713).
5. Structures for information retrieval in big data / Hahanov V, Chumachenko S, Litvinova E, Adamov A et al // Proc. of 13th International Conference Experience of Designing and Application of CADSM (CADSM'2015), Lviv, Ukraine, 2015 – P. 70-75.
6. A Sandboxing Method to Protect Cloud Cyberspace / Adamov A, Carlsson A // Proceedings of IEEE EWDTS, September 27-30, 2015, Batumi, Georgia – P. 180–183.
7. Android Ransomware: Turning CryptoLocker into CryptoUnlocker / Adamov A // Proc. of the 25th Virus Bulletin International Conference, Prague, Czech Republic, 30 Sep-2 Oct 2015 – P. 220-223.
8. Detecting targeted attacks in the cloud / Adamov A // OpenStack Summit, Vancouver, Canada, 18-22 May 2015.
9. Using Open Source Security Architecture to Defend against Targeted Attacks / Alexander Adamov, Dan Lambright // OpenStack Summit, Austin, TX, US, April 25-29, 2016.
10. Cloud incident response model / Alexander Adamov, Anders Carlsson // IEEE EWDTS, October 14–17, 2016, Yerevan, Armenia. – P. 250–253
11. The State of Ransomware. Trends and Mitigation Techniques / Alexander Adamov, Anders Carlsson // Proc. of IEEE East-West Design & Test Symposium (EWDTS’2017), Sep 29 – Oct 2, 2017, Belgrad, Serbia. – P. 121–128.
12. Adamov A, Carlsson A, Battlefield Ukraine: finding patterns behind summer cyber attacks, // Proc. of the 27th Virus Bulletin International Conference, Madrid, Spain, 4-6 Oct 2017 – Appendix Last-minute presentations P. 4-5.

etc.

Find more in Google Scholar, Scopus, and IEEE Explore.



Contact us: ada@nioguard.com