As the tensions between Russia and Ukraine continue to deepen, security researchers have discovered more about the tactics and malware used in the wiper attacks on Ukrainian organizations and government officials are warning enterprises in the United States to be prepared for potential intrusions if the U.S. becomes involved in the conflict in some way.
The attacks that hit several Ukrainian organizations and government agencies 10 days ago used a piece of malware known as WhisperGate that has multiple stages and is designed to overwrite the master boot record (MBR) of infected computers and delete all of the data on those machines. The malware disguises itself as ransomware, displaying a ransom note after the wiping operations complete. But there’s no way to recover the data and no ransom mechanism. This is quite similar to the 2017 NotPetya attacks in Ukraine, which also used ransomware as a facade for a destructive malware infection and was more widespread than the WhisperGate intrusions.
Researchers with Cisco Talos, who have worked on incident response in Ukraine for many years, found that the attackers had access to the target networks for several months before actually deploying the WhisperGate malware, and probably used stolen legitimate credentials for initial access.
“We assess that attackers used stolen credentials in the campaign and they likely had access to the victim network for months before the attack, a typical characteristic of sophisticated advanced persistent threat (APT) operations,” Talos researchers said in an analysis of the incidents.
Over the weekend, the Department of Homeland Security sent an alert to critical infrastructure operators about the potential for Russian threat actors to take similar actions against U.S. organizations if the U.S. intervenes in the Ukraine conflict, CNN reported. DHS routinely sends warnings about ongoing or potential threats to CI operators and other private sector organizations, but given the recent attacks in Ukraine and the fact that Russian threat actors are known to have gained access to U.S. CI networks, this is not business as usual. What DHS is telling those organizations is that these operations may look different from past Russian attacks.
"If the rules of engagement change, Russia will be looking to put in place as much pressure as they can to remove any sanctions."
“They’re trying to say that there’s potential for the rules of the game to change. In the past if you discovered Russian adversaries in your network, you’d try to find all their footholds, board up behind them, and do better next time. There is a potential future where that’s not the case. If the rules of engagement change, Russia will be looking to put in place as much pressure as they can to remove any sanctions they don’t find acceptable,” said Matthew Olney, director of threat intelligence and interdiction for Talos.
The high bar on this would be if they disconnected Russia from SWIFT (financial messaging platform). It would be a very big deal and not be on the Russian side. Then we’re looking at how does Russia apply pressure on the west?”
SWIFT is part of the core infrastructure of the global financial system, and losing access to it would create dire consequences for Russia’s economy. That would be a drastic step for western nations to take, but even less-severe economic sanctions could provoke Russian threat groups to act.
“If they’re free to act in a damaging way, the administration is preparing for it, but I’m not sure the rest of the country is. I don’t think there’s a huge appetite in the U.S. to suffer on behalf of the Ukrainian people,” Olney said.
For U.S. organizations outside the CI sector, the potential for spillover from the situation in Ukraine may be lower, but it is still present. Russian threat groups have targeted enterprises in many different industries, including technology, manufacturing, and energy, and the Cybersecurity and Infrastructure Security Agency (CISA) issued a warning on Jan. 11 instructing U.S. companies to be aware of ongoing Russian attacks and take precautions.
“Historically, Russian state-sponsored advanced persistent threat (APT) actors have used common but effective tactics—including spearphishing, brute force, and exploiting known vulnerabilities against accounts and networks with weak security—to gain initial access to target networks,” the alert says.
“Russian state-sponsored APT actors have also demonstrated sophisticated tradecraft and cyber capabilities by compromising third-party infrastructure, compromising third-party software, or developing and deploying custom malware. The actors have also demonstrated the ability to maintain persistent, undetected, long-term access in compromised environments—including cloud environments—by using legitimate credentials.”
Olney recommends that any organizations with Ukrainian connections take care to isolate and monitor any systems or software that may be potential targets.
“If you’re running software that’s focused on Ukraine or has a connection, all of those pieces need to be isolated and secured and monitored to ensure that it doesn’t inadvertently spill into your operational network,” he said.