CISA
Critical infrastructure
Malware, Phishing & Ransomware
News
Threat Landscape

CISA, FBI warns of ‘destructive malware’ targeting Ukrainian organizations

February 28, 2022
CISA, FBI warns of ‘destructive malware’ targeting Ukrainian organizations

The U.S. security agencies issued on Saturday a joint cybersecurity advisory (CSA) that warned of hackers deploying ‘destructive malware’ against Ukrainian organizations. It has been found that cybercriminals have tried to destroy computer systems and render them inoperable in the wake of the Russian attack against Ukraine. The alert provides information on WhisperGate and HermeticWiper malware and provides details of the open-source indicators of compromise (IOCs) for organizations to detect and prevent malware. 

“Destructive malware can present a direct threat to an organization’s daily operations, impacting the availability of critical assets and data,” the Cybersecurity and Infrastructure Security Agency (CISA) and Federal Bureau of Investigation (FBI), wrote in its advisory. “Further disruptive cyberattacks against organizations in Ukraine are likely to occur and may unintentionally spill over to organizations in other countries. Organizations should increase vigilance and evaluate their capabilities encompassing planning, preparation, detection, and response for such an event,” it added. 

“Now that Russia has actually invaded Ukraine, WaterISAC has been on high alert for unusual cyber activity,” the Water Information Sharing and Analysis Center (WaterISAC), wrote in a separate alert to the water and wastewater sector, on Saturday. “At this time, no incidents have been reported in the U.S., but Russia is being blamed for destructive attacks against Ukraine banks and government departments. WaterISAC recommends members review the advisory and take the appropriate actions to prevent and mitigate attacks that may occur against their networks,” it added.

“​​The HermeticWiper was apparently deployed and installed in Ukraine, but due to the network architecture, and the policy that was embedded in the execution instructions, the malware spreads wherever the network has connections,” Chris Krebs, partner at Krebs Stamos Group and former CISA director, told TIME magazine in an interview on Saturday. 

Last week, cybersecurity researchers disclosed that the HermeticWiper malware was being used against organizations in Ukraine. Slovakia-based cybersecurity company, ESET Research Labs said on Wednesday that it had detected a new piece of data-wiping malware present in Ukraine systems. “ESET telemetry shows that it was installed on hundreds of machines in the country. This follows the DDoS attacks against several Ukrainian websites earlier today,” it wrote in a Twitter message

ESET said large organizations had been affected, while security experts at Symantec’s threat intelligence team said the malware had affected Ukrainian government contractors in Latvia and Lithuania and a financial institution in Ukraine. ESET has called the malware, which renders computers inoperable by disabling rebooting, HermeticWiper.

According to SentinelLabs, the malware targets Windows devices, manipulating the master boot record, which results in subsequent boot failure, and is ‘actively being used against Ukrainian organizations.’

“We started analyzing this new wiper malware, calling it ‘HermeticWiper’ in reference to the digital certificate used to sign the sample,” Juan Andrés, principal threat researcher at SentinelOne, wrote in a company blog. “The digital certificate is issued under the company name ‘Hermetica Digital Ltd’ and valid as of April 2021. At this time, we haven’t seen any legitimate files signed with this certificate. It’s possible that the attackers used a shell company or appropriated a defunct company to issue this digital certificate,” he added.

After a week of defacements and increasing DDoS attacks, the proliferation of sabotage operations through wiper malware is an expected and regrettable escalation, Andrés added. “At this time, we have a very small sliver of aperture into the attacks in Ukraine and subsequent spillover into neighboring countries and allies,” he added.

In the case of the WhisperGate malware, the Microsoft Threat Intelligence Center (MSTIC) found evidence last month of a destructive malware targeting multiple organizations in Ukraine. The malware has two stages that corrupt a system’s master boot record, display a fake ransomware note, and subsequently encrypt files based on certain file extensions. 

“This malware first appeared on victim systems in Ukraine on January 13, 2022,” Microsoft researchers wrote in a blog post at the time. These systems span multiple government, non-profit, and information technology organizations, all based in Ukraine, the researchers said. “We do not know the current stage of this attacker’s operational cycle or how many other victim organizations may exist in Ukraine or other geographic locations. However, it is unlikely these impacted systems represent the full scope of impact as other organizations are reporting,” they added.

In January, the CISA called upon organizations to implement cybersecurity measures that protect against potential critical threats, following reports of the WhisperGate malware wiping out data on Ukrainian computers in a coordinated attack. Users of industrial control or operational technology (OT) systems were directed by the security agency to conduct a test of manual controls to ensure that critical functions remain operable if the organization’s network is unavailable or untrusted.

The latest CSA said that destructive malware can pose a direct threat to an organization’s daily operations, impacting the availability of critical assets and data. Given the escalating situation, the alert provided guidance and considerations for organizations to address as part of network architecture, security baseline, continuous monitoring, and incident response practices, it added.

Organizations must now increase vigilance and evaluate their capabilities, while encompassing planning, preparation, detection, and response, for such an event, the latest advisory said. It also focuses on the threat of malware using enterprise-scale distributed propagation methods and provides recommended guidance and considerations for an organization to address as part of their network architecture, security baseline, continuous monitoring, and incident response practices.

“While enterprise assets often offer a treasure of data to common bad actors seeking to monetize cybersecurity vulnerabilities, geopolitical actors have been learning and gathering intel across operational and critical infrastructure targets for years,” Barika Pace, Gartner’s senior research director, wrote in a company blog post. If a cyberattack is imminent, your efforts will need to span a variety of assets quickly to avoid disruption,” she added.

In the aftermath of ransomware attacks last year, “we’ve seen a significant increase in cybersecurity awareness and improvement prevention services. After Colonial last summer, I got a lot more interest from executives and boards,” Krebs said. “But we have to continue making cybersecurity a business risk management priority. We need boards of directors and executives right now, in this very moment, to talk to their information security department and their chief information security officers, ask them what support they need, what more the organization needs to do to be secure. We can’t pretend that it’s business as usual right now,” he added.

The destructive malware warning was preceded by another alert warning of a group of Iranian government-sponsored advanced persistent threat (APT) actors, known as ‘MuddyWater malware.’ The malware is said to have targeted various government and private-sector organizations across sectors, including telecommunications, defense, local government, and oil and natural gas, located in Asia, Africa, Europe, and North America. 

Additionally, CISA has warned the critical infrastructure installations of malicious hackers, using influence operations to shape public opinion, undermine trust, amplify division, and sow discord. It also issued a ‘Shields Up’ alert that notifies every organization in the country of potential risk from cyber threats that can disrupt essential services and potentially impact public safety. 

Anna Ribeiro
Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.

A complimentary guide to the who`s who in industrial cybersecurity tech & solutions

Free Download

Related

Mandiant exposes APT44, Russia's Sandworm cyber sabotage unit, targeting global critical infrastructure
Mandiant exposes APT44, Russia’s Sandworm cyber sabotage unit, targeting global critical infrastructure
Hexagon and Dragos announce technical alliance to boost industrial cybersecurity, reduce overall OT cyber risk
Hexagon and Dragos announce technical alliance to boost industrial cybersecurity, reduce overall OT cyber risk
Armis
Armis acquires Silk Security for $150 million to enhance AI-driven cybersecurity capabilities
Nozomi discovers five vulnerabilities in AMI MegaRAC SP-X BMC, exposing OT, IOT devices to RCE attacks
Nozomi secures US$1.25 million US Air Force contract to boost DoD critical infrastructure security
Industrial Cybersecurity Buyers’ Guide 2024 navigates complex industrial landscape
Industrial Cybersecurity Buyers’ Guide 2024 navigates complex industrial landscape
House Energy and Commerce Committee members seek answers from UnitedHealth on Change healthcare cyberattack
House Energy and Commerce Committee members seek answers from UnitedHealth on Change healthcare cyberattack
CISA announces Cyber Storm IX cybersecurity exercise to strengthen national cyber readiness
CISA announces Cyber Storm IX cybersecurity exercise to strengthen national cyber readiness
New NSA guidance identifies need to update AI systems to address changing risks, bolster security
New NSA guidance identifies need to update AI systems to address changing risks, bolster security
Claroty’s Team82 details cyber attack by Blackjack hackers on Moscow's emergency detection systems
Claroty’s Team82 details cyber attack by Blackjack hackers on Moscow’s emergency detection systems
Kaspersky ICS CERT reports on escalating consequences of cyber attacks on industrial organizations
Kaspersky ICS CERT reports on escalating consequences of cyber attacks on industrial organizations