CISA
Critical infrastructure
News

CISA warns ICS, OT operators in wake of WhisperGate malware attacks

January 19, 2022
CISA warns ICS, OT operators in wake of WhisperGate malware attacks

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) announced Tuesday that organizations must implement cybersecurity measures to protect against potential critical threats, following reports of the WhisperGate malware wiping out data on Ukrainian computers in a coordinated attack. Users of industrial control or operational technology (OT) systems, were directed by the CISA to conduct a test of manual controls to ensure that critical functions remain operable if the organization’s network is unavailable or untrusted.

The CISA warning comes in the wake of public and private entities in Ukraine suffering a series of malicious cyber incidents, including website defacement and private-sector reports of potentially destructive malware on their systems that could result in severe harm to critical functions, the agency wrote in its latest advisory. The identification of destructive malware is particularly alarming given that similar malware has been deployed in the past, such as NotPetya and WannaCry ransomware, to cause significant, widespread damage to critical infrastructure, it added.

“Every organization in the United States is at risk from cyber threats that can disrupt essential services and potentially result in impacts to public safety,” according to CISA. Over the past year, cyber incidents have impacted many companies, non-profits, and other organizations, large and small, across multiple sectors of the economy. The advisory is intended to ensure that senior leaders at every organization in the U.S. are aware of critical cyber risks and take urgent, near-term steps to reduce the likelihood and impact of a potentially damaging compromise, it added. 

​​Approximately 70 Ukrainian Government websites have recently been brought down by a destructive malware masquerading as ransomware, Sapien Cyber researchers wrote in a blog post. “The cyber-attack coincides with the breakdown of diplomatic talks between the NATO alliance and Russia over Russia’s deployment of over 100,000 troops on its border with Ukraine,” it added.

As a supply chain attack, the activity appears to have originated with the breach of Ukrainian company Kitsoft, which “develops and implements digital technologies for state authorities and commercial organisations,” the post added. Sapien Cyber has found that the Kitsoft website was also offline. The Microsoft Threat Intelligence Center (MSTIC) has asserted that the known impacted assets are unlikely to represent the full scale of the attack.

The malware is being described as a ‘Master Boot Records (MBR) Wipe’ with unique capabilities, but similar to malware used by groups tied to Russian intelligence, according to Serhiy Demedyuk, the Ukrainian deputy secretary of the national security and defence council. Ukraine officials have also asserted that recent attacks defacing government websites and attributed to UNC1151 were likely a diversionary tactic designed to draw attention away from the much more destructive DEV-0586, or Whispergate malware, activity.

Microsoft had last week provided details of damaging malware attacks on Ukrainian organizations, where the WhisperGate malware was used to overwrite Master Boot Record and other files to render systems inoperable at several organizations in Ukraine.

The two-stage malware overwrites the MBR on victim systems with a ransom note that contains a Bitcoin wallet and Tox ID (a unique account identifier used in the Tox encrypted messaging protocol) that have not been previously observed by MSTIC, it added. It then executes when the associated device is powered down. Overwriting the MBR is atypical for cybercriminal ransomware. In reality, the ransomware note is a ruse, and the malware destructs MBR and the contents of the files it targets.

In the second part of the file corrupter malware, ​​Stage2.exe is a downloader for the malicious file corrupter malware. Upon execution, stage2.exe downloads the next-stage malware hosted on a Discord channel, with the download link hardcoded in the downloader. Microsoft said that the next-stage malware can best be described as a malicious file corrupter. “Once executed in memory, the corrupter locates files in certain directories on the system with a hardcoded file extension,” it added.

Corruption of the MBR is commonly known as ‘bricking’, resulting in the affected machine being unable to power on or function normally, Sapien Cyber said in its post. In the case of the DEV-0586 or Whispergate malware, the ransom note appears to be a ruse, as the MBR is overwritten rather than files being encrypted, as is seen in traditional ransomware, it added.

While the Microsoft analysis splits the WhisperGate malware into two stages, Stairwell and others in the industry divide it into three, adding a final ‘file wiper’ stage. “This is a high-level overview of the currently known technical aspects of WhisperGate as executed on Microsoft Windows operating systems. Based on a statement from the Ukrainian government, a reported Linux variant of this malware may exist; however, samples have not yet been shared,” Silas Cutler, principal reverse engineer at Stairwell, wrote in a company blog post

Cutler said that the WhisperGate malware is still under active investigation. “Our understanding of the scope and structure of this campaign is likely to evolve as analysis continues and new information is released. Additionally, with many unknowns, such as the intrusion vector, reported Linux variants, and the pace with which events can potentially escalate from cyber to traditional military actions, it’s clear faster that identification and analysis will become paramount in the days to come,” he added.

Anna Ribeiro
Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.

A complimentary guide to the who`s who in industrial cybersecurity tech & solutions

Free Download

Related

MITRE confirms breach on NERVE network, suspected foreign nation-state actor involved
MITRE confirms breach on NERVE network, suspected foreign nation-state actor involved
Radiflow helps customers achieve NIS2 compliance, spurring growth in Europe
Radiflow, Exclusive Networks partner to elevate OT cybersecurity
MITRE plans to enhance cybersecurity in 2024 with ICS sub-techniques and multi-domain integration
MITRE plans to enhance cybersecurity in 2024 with ICS sub-techniques and multi-domain integration
New bill introduced to set up Water Risk and Resilience Organization to secure water systems from cyber threats
New bill introduced to set up Water Risk and Resilience Organization to secure water systems from cyber threats
CISA, FBI, Europol, and NCSC-NL issue joint cybersecurity advisory on Akira ransomware threats
CISA, FBI, Europol, and NCSC-NL issue joint cybersecurity advisory on Akira ransomware threats
Mandiant exposes APT44, Russia's Sandworm cyber sabotage unit, targeting global critical infrastructure
Mandiant exposes APT44, Russia’s Sandworm cyber sabotage unit, targeting global critical infrastructure
Hexagon and Dragos announce technical alliance to boost industrial cybersecurity, reduce overall OT cyber risk
Hexagon and Dragos announce technical alliance to boost industrial cybersecurity, reduce overall OT cyber risk
Armis
Armis acquires Silk Security for $150 million to enhance AI-driven cybersecurity capabilities
Nozomi discovers five vulnerabilities in AMI MegaRAC SP-X BMC, exposing OT, IOT devices to RCE attacks
Nozomi secures US$1.25 million US Air Force contract to boost DoD critical infrastructure security
Industrial Cybersecurity Buyers’ Guide 2024 navigates complex industrial landscape
Industrial Cybersecurity Buyers’ Guide 2024 navigates complex industrial landscape