Malicious Cyber Incidents in Ukraine | February 2022

The outbreak of war in Ukraine has resulted in targeted cyber attacks by Russia against the Ukraine. This has increased concerns over potential collateral damage from future cyber attacks. Here's what you need to know.

Updated:  March 23, 2022

Background

Russia's invasion of Ukraine included a hybrid warfare model that involved a variety of cyber attacks against public and private sector organizations in Ukraine. In January 2022, Ukrainian government websites were defaced in tandem with destructive malware that mimicked ransomware that targeted Ukrainian government, non-profit, and technology companies. In February 2022, Ukrainian military and financial websites were taken offline with a distributed denial of service (DDOS) attack. Future attacks could leak to other countries as collateral damage. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) strongly urges organizations with any Ukrainian subsidiaries or entities to be on alert for malicious cyber activity due to escalating geo-political activity.

CISA noted that the presence of destructive malware is alarming given past attacks like NotPetya and WannaCry that caused widespread disruption and damage beyond the borders of Ukraine. Recently, Ukrainian authorities also warned that they saw online warnings that hackers were preparing to launch major attacks on government agencies, banks and the defense sector.

Timeline of Some Cyber Events Related to the War

January 13th:  Microsoft investigation teams identified destructive wiper malware, known as WhisperGate, that targeted Ukrainian systems. This included government, non-profit and information technology organizations. The wiper malware’s primary objective is to make the impacted systems inoperable with no path to recovering data. This is a remnant of the NotPetya malware of 2017.

February 15th: A distribution-of-denial (DDoS) attack — where large amounts of traffic are sent to a specified target to disrupt normal system operations — hit military and financial institutions in Ukraine, making it the largest DDoS attack in the country’s history. Additionally, Russia conducted disinformation campaigns against Ukrainians. Users of Privatbank received fake text messages alerting them that the bank’s ATMs were no longer working.

February 23rd: Additional DDoS attacks targeted Ukrainian government bodies and a new strain of destructive malware known as HermeticWiper targeted additional organizations. ESET researchers also uncovered a worm (dubbed HermeticWizard) used to spread HermeticWiper across the compromised networks via SMB and WMI. This is the first indications of worm like capabilities for the destructive malware targeting Ukrainian organizations. They are also seeing HermeticRansom deployed with the wiper malware.

February 24th: ESET researchers uncovered another new wiper they have named IsaacWiper used to attack a Ukrainian governmental network.

March 1st: The CrowdStrike Intelligence Team posted instructions on how to decrypt HermeticRansom.

March 1st:  Cyber threat actors are taking sides (or declaring neutrality), and with that has come leaked information. Krebs on Security dedicated recent blog posts to the Conti leak, revealing some of the inner workings of the notorious ransomware group.

March 17th: Open-source "Protestware" projects are appearing on GitHub that can be used to alter code to display pro-Ukraine messages or facts about the war to users. Most of the code available is relatively harmless, however at least one was observed to have a new component that was designed to wipe all files from any systems visiting from a Russian or Belarusian IP address.

Ongoing: There are reports of ongoing cyber attacks against Ukraine that include disinformation, DDoS, and continued use of wiper malware. It has also become increasingly difficult for companies to manage assets in Russia due to sanctions.

What This Means For Your Organization

For most organizations, there’s no cause for urgent concern. The United States government has said that there are currently no credible threats to businesses in the country, but to still be mindful of potential attacks, especially ransomware, and to have your cyber shields up. In many cases, companies that could be targeted would be strategic in nature to national security or have “national significance,” as New Zealand’s Cyber Security agency highlighted. 

For organizations that have business operations or third party vendors that touch Ukraine or Russia, additional precautions should be taken. We recommend that you confirm the following:

  • If you are working with Ukrainian or Russian organizations, segment network access between those systems and all other systems so that no network traffic can reach systems outside of those in the Ukraine or Russia.
  • Review security controls of the Ukrainian or Russian systems and monitor for suspicious activity. Consider migrating any on-premise services to cloud services for better resiliency. 
  • If you have contractors based in the Ukraine or Russia, ensure their endpoints are secured and limit their access into your critical systems. 
  • Work with your key third-party providers to ensure they do not have dependent systems or services hosted in the Ukraine or Russia. If they do, ask what measures they’re taking to minimize risk of attack and disruption.

Next Steps for All Organizations

We encourage your organization to take the following steps to mitigate against potential attack:

  1. Shields Up. CISA recommends that all organizations put their cyber Shields Up, so to speak. Reduce the likelihood of attack, detect malicious activity, respond effectively, and maximize resilience. CISA has laid out dozens of free tools and services to help your organization do all of the above, whether it be personnel training for phishing attacks or tools to detect suspicious activity. You can find the full list of free services in Shields Up, or directly linked here.
  2. Train users on phishing awareness and avoid clicking on suspicious links or attachments.
  3. Ensure Endpoint Detection and Response (EDR) technology is deployed throughout your organization, especially on critical systems. If you have not yet invested in an EDR solution, we have free trials and discounts with two industry leading solutions, SentinelOne and CrowdStrike. Both partners have top notch threat intelligence feeding into their products, and have already updated their solutions to identify recent Russian destructive malware.
  4. Confirm your backups have been recently tested, are working as expected, and are protected.
  5. Ensure systems are being monitored for any suspicious activity.

Resources

If you have any questions, please reach out to the Risk + Response Team at services@corvusinsurance.com!