The Cybersecurity and Infrastructure Security Agency (CISA) and FBI released new guidance on the WhisperGate and HermeticWiper malware strains in a joint advisory this weekend.
The government agencies warned US organizations and companies to look out for WhisperGate and HermeticWiper after they were seen being used against organizations in Ukraine in the run-up to Russia’s invasion of the country.
Both CISA and the FBI reiterated that there is no specific threat against US organizations.
“In the wake of continued denial of service and destructive malware attacks affecting Ukraine and other countries in the region, CISA has been working hand-in-hand with our partners to identify and rapidly share information about malware that could threaten the operations of critical infrastructure here in the US,” said CISA Director Jen Easterly.
“Our public and private sector partners in the Joint Cyber Defense Collaborative (JCDC), international computer emergency readiness team (CERT) partners, and our long-time friends at the FBI are all working together to help organizations reduce their cyber risk.”
CISA urged US organizations to take measures to protect themselves by enabling multifactor authentication, deploying antivirus and antimalware programs, enabling spam filters, updating all software and filtering network traffic.
The joint Advisory, “Destructive Malware Targeting Organizations in Ukraine,” comes as CISA expanded its Shields Up webpage to include new services and resources, recommendations for corporate leaders and actions to protect critical assets.
CISA has also created a new Shields Up Technical Guidance webpage that provides more details on other cyberattacks facing Ukraine and technical resources to deal with threats.
“The FBI alongside our federal partners continues to see malicious cyber activity that is targeting our critical infrastructure sector,” said FBI Cyber Division Assistant Director Bryan Vorndran.
“We are striving to disrupt and diminish these threats, however we cannot do this alone, we continue to share information with our public and private sector partners and encourage them to report any suspicious activity. We ask that organizations continue to shore up their systems to prevent any increased impediment in the event of an incident.”
Dozens of systems within at least two Ukrainian government agencies were wiped during a cyberattack using WhisperGate in January. Microsoft released a detailed blog about WhisperGate and said it was first discovered on January 13. Multiple security companies have released guidance and examinations of the malware since it emerged.
In a follow-up examination of WhisperGate, security company CrowdStrike said the malware aims “to irrevocably corrupt the infected hosts’ data and attempt to masquerade as genuine modern ransomware operations.”
“However, the WhisperGate bootloader has no decryption or data-recovery mechanism and has inconsistencies with malware commonly deployed in ransomware operations,” CrowdStrike explained.
“The activity is reminiscent of VOODOO BEAR‘s destructive NotPetya malware, which included a component impersonating the legitimate chkdsk utility after a reboot and corrupted the infected host’s Master File Table (MFT) — a critical component of Microsoft’s NTFS file system. However, the WhisperGate bootloader is less sophisticated, and no technical overlap could currently be identified with VOODOO BEAR operations.”
Kitsoft, the company that built about 50 of Ukraine’s government websites, said that it discovered WhisperGate malware on its systems too.