The Cybersecurity and Infrastructure Security Agency (CISA) and FBI are warning United States-based organizations of two destructive malware programs used by Russia against Ukrainian organizations in the leadup to Russia’s invasion of Ukraine, and the threat vectors seen in those attacks.
The joint advisory, released Feb. 26, outlines CISA- and FBI-confirmed malware attacks against Ukrainian organizations using malware programs WhisperGate and HermeticWiper. The former results in a distributed denial of service (DDoS) attack rendering systems inoperable, and the latter manipulates the boot record of operating systems to create a subsequent boot failure.
While CISA Director Jen Easterly has said as recently as Feb. 27 that the agency has not observed any specific threats to the United States, she said it’s important for critical infrastructure operators and other organizations to be prepared for any potential “spillover” effects of the invasion.
“In the wake of continued denial of service and destructive malware attacks affecting Ukraine and other countries in the region, CISA has been working hand-in-hand with our partners to identify and rapidly share information about malware that could threaten the operations of critical infrastructure here in the U.S.,” Easterly said in the advisory.
“Our public and private sector partners in the Joint Cyber Defense Collaborative (JCDC), international computer emergency readiness team (CERT) partners, and our long-time friends at the FBI are all working together to help organizations reduce their cyber risk,” she added.
Attack Vectors
According to CISA, the Microsoft Threat Intelligence Center discovered the WhisperGate malware on Jan. 15. According to a CrowdStrike analysis of the attack, multiple Ukrainian government sites went down and were defaced using the three-pronged malware attack.
WhisperGate utilized a malicious bootloader to corrupt any local disks it could detect, a downloader that is based on the chat app Discord, and a file wiper to work with the bootloader to “irrevocably corrupt the infected hosts’ data,” according to CrowdStrike. The malware is also set to present itself as a ransomware attempt, but there is no way for victims to recover or decrypt their data, as none is present in the malware.
Several different cybersecurity researchers discovered the use of the HermeticWiper malware against Ukrainian organizations on Feb. 23, according to the advisory.
HermeticWiper, called “DriveSlayer” by CrowdStrike, reportedly has no “built-in propagation methods for spreading across infrastructures.” Combined with the limited reports of its attacks on Ukrainian organizations, CrowdStrike believes there is limited risk that organizations will have to deal with this particular malware.
“The FBI alongside our Federal partners continues to see malicious cyber activity that is targeting our critical infrastructure sector,” FBI Cyber Division Assistant Director Bryan Vorndran said. “We are striving to disrupt and diminish these threats, however we cannot do this alone.”
Specifically, CISA and the FBI give the following recommendations for United States-based critical infrastructure owners and operators, as well as organizations more broadly. CISA and FBI recommend that organizations:
- “Enable multifactor authentication;
- Set antivirus and antimalware programs to conduct regular scans;
- Enable strong spam filters to prevent phishing emails from reaching end-users;
- Update software; and
- Filter network traffic.”
“We continue to share information with our public and private sector partners and encourage them to report any suspicious activity,” Vorndran said. “We ask that organizations continue to shore up their systems to prevent any increased impediment in the event of an incident.”
‘Even Chance’ of Further Attacks
Craig Terron, Senior Manager of Global issues at Recorded Future’s Insikt Group, said today during a presentation on the cyber warfare aspects of the Ukrainian invasion that there’s an “even chance” that groups in Russia could launch cyberattacks against western interests using the same methods included in the CISA/FBI advisory.
He said the source of the attacks likely includes Russia’s GRU intelligence apparatus and allied interests located in Belorussia. Terron suggested that organizations looking to defend against such attacks employ “hunting packages” for those particular threats.
Finally, Terron said that despite efforts to bring down Ukrainian government websites through malware and DDoS attacks, Russia thus far has “failed to achieve information superiority” in Ukraine because the government still retains the ability to communicate with its citizens.