Tension is mounting over the potential for Russia’s cyberattacks in Ukraine to spread to organizations in the US and other countries that have imposed economic and other sanctions on Russia over its invasion of Ukraine this week.
The fears are being fueled both by recent precedent and by the nature of the malicious activity directed at organizations in Ukraine over the past several weeks and months by cyber threat actors believed to be affiliated with the Russian government.
“The western world should be on red alert status for Russian cyber retaliation,” says Paul Caiazzo, advisor at Avertium. Russia has shown a tendency to use a hybrid warfare approach — kinetic and cyber — in previous conflicts, and what’s playing out currently is line with that approach, he says. The unison with which western nations have imposed sanctions has left Russia with few options and at the risk of being cut off entirely from the global financial system, he says.
“The Internet will still offer every opportunity for Putin to deliver upon his threats of dire consequences to those who seek to interfere with Russia’s agenda,” Caiazzo says.
Much of the immediate concern is focused on a flurry of malicious activity targeted at Ukrainian organizations prior to Russia’s military action early on Feb. 24 local time. This includes the deployment of a dangerous new disk-wiping malware tool, crippling DDoS attacks, and a new malware framework from a Russian threat actor tied to the Russian General Staff Main Intelligence Directorate (GRU).
On the evening of Feb. 23, just hours before Russian troops entered Ukraine, security researchers reported numerous Ukrainian organizations getting hit with a sophisticated new disk-wiping malware. ESET, which is tracking the threat as “HermeticWiper”, said it found traces of the malware on hundreds of systems in Ukraine. The compilation time stamp on one HermeticWiper sample was Dec. 28, 2021, suggesting the attack was in preparation mode for close to two months. ESET described the malware binary as being signed with a valid code signing certificate issued to Hermetica Digital Ltd.
the malware being deployed against organizations in Ukraine’s defense, financial, aviation, and IT services sectors. The malware appears designed solely to damage the Master Book Record (MBR) on Windows systems, making them unbootable once compromised. In several attacks, the threat actors deployed ransomware at the same time as the disk wiper, likely as a decoy. Symantec said it had found evidence of HermeticWiper — or Trojan.Killdisk, as the security vendor is tracking it — on systems belonging to organizations in Lithuania as well, suggesting that the cyberattacks in Ukraine have already begun spilling over into other countries.
HermeticWiper is similar to another disk-wiping malware tool called WhisperGate
that Microsoft first reported being used against Ukrainian organizations in January. As with HermeticWiper, that wiper masqueraded as ransomware but was designed to overwrite and destroy the MBR. WhisperGate victims have so far included the Ukrainian government, IT providers, and nonprofits.
Whispergate and HermeticWiper have evoked comparisons to 2017’s NotPetya, which also initially appeared to be ransomware but actually was a disk wiper. The malware infected tens of thousands of systems worldwide, though it started off being targeted mainly at Ukrainian systems.
“Russian cyberattacks like NotPetya, which had a global impact in 2017, affected Ukraine the most but ended up costing giant multinational corporations and government organizations billions of dollars,” Caiazzo says. “Entities were caught in the crossfire regardless of politics, and the same could happen again.”
Concerns are also high over a new malware framework dubbed Cyclops Blink that Russian threat actor Sandworm, aka Voodoo Bear, is using to target network devices. Sandworm is the threat actor behind the NotPeyta outbreak, the 2015 BlackEnergy attack that temporarily crippled Ukraine’s power grid, and Industroyer, the first ever cyberweapon developed specifically to target electric systems at scale.
A joint advisory this week from the US Cybersecurity and Infrastructure Agency, the UK’s National Cyber Security Center, the NSA, and the FBI described Cyclops Blink as malware that Sandworm is now using as a replacement for its previous VPNFilter to target network devices. VPNFilter infected some 500,000 routers worldwide before it was shut down in 2018. Cyclops Blink was developed shortly after in 2019. Presently, the malware only impacts WatchGuard devices, but it likely can be modified to impact network technologies from other vendors, the CISA and others said.
In keep with previous patterns, Russia military action in Ukraine this week was preceded by numerous DDoS attacks targeting key government websites, including those of the Ukrainian parliament, Council of Ministers, Ministry of Foreign Affairs, and the Security Service of Ukraine. A Russia-linked website that served as a command-and-control center for the attacks also was found hosting clones of key Ukrainian government websites including those of the President and the Ministry of Justice.
Rippling Cyber Effects
Purandar Das, CEO and cofounder at Sotero, says that on the surface there’s nothing really different with the cyberattacks in Ukraine compared to previous periods of similar conflict. “However, what is not clear, at this time, is whether these are diversions,” he says.
It’s likely the attacks are a tactic to force attention on what is perceived to be a problem while the more strategic attacks on infrastructure could be happening or have already happened, he says. “It would be too easy to believe that other nations, perceived to be hostile, are not already under attack. There certainly could be an escalation against these states to impede their cooperation or to disrupt communications.”
In recent days the CISA in fact has warned about the potential for “foreign actors” to use misinformation, disinformation, and misleading information about true events to target US critical infrastructure. The alert described the Russia-Ukraine conflict as having heightened the risk of foreign influence operations targeting US audiences with the goal of undermining US authorities and interests and disrupting US critical infrastructure.
At this point, all organizations, corporations, and small businesses should do their due diligence and protect their cyber environments. The current situation between Ukraine and Russia impacts all organizations, not just those who conduct business in Ukraine, says Lee Legnon, director of solutions marketing at Avertium. Organizations at particular risk are those in critical infrastructure sectors and high-value supply chain vendors. “Russia has shown the ability and willingness to cause disruption and damage before and could do so again to instill mass confusion at varying levels within both public and private sector,” he says.
Earlier this month, CISA urged US organizations to assume what it calls a “Shields Up” stance in preparation for cyberattacks by Russia-backed threat actors.
As part of their due diligence, organizations need to make sure they understand how the current sanctions against Russia might impact their ability to make ransom payments in the event of an attack, says Alex Iftimie, co-chair of Morrison & Foerster’s global risk and crisis management group. “The new Russian sanctions do not appear to include sanctions directed at ransomware groups or other cyber actors or the cryptocurrency infrastructure they use,” Iftimie says.
But that could change quickly if coordinated ransomware attacks that are connected to the Russian invasion of Ukraine start to happen, he says. The FBI has warned businesses and state and local officials of the potential for such attacks, he notes.
“In light of the sweeping new sanctions, it is absolutely critical that victims of ransomware and other extortion attacks conduct due diligence before making a ransom payment,” Iftimie says.