Government and researchers keep U.S. attention on Russian cyber activity in Ukraine
The FBI and the Cybersecurity and Infrastructure Security Agency (CISA) have added several strains of erasing malware to their review of the tools used to attack Ukrainian organizations. The additions came a day after Microsoft researchers said they observed nearly 40 destructive cyberattacks targeting hundreds of systems in Ukraine.
CISA and the FBI released the original advisory in late February and updated it Thursday to add additional indicators of compromise for the WhisperGate malware and technical details for the destructive malware HermeticWiper, IsaacWiper, HermeticWizard, and CaddyWiper.
WhisperGate was used in attacks against dozens of Ukrainian government websites in January. It masquerades as ransomware but simply erases infected devices instead of offering the option to pay a ransom.
HermeticWiper is another piece of malware used against Ukrainian networks in February that was discovered by researchers from Slovakia-based cybersecurity firm ESET and Broadcom’s Symantec.
Silas Cutler, security researcher for Stairwell, said in February that HermeticWiper doesn’t just destroy local data. It also damages the Master Boot Record (MBR) section of a hard drive, preventing the computer from booting into the operating system after forced restart.
ESET explained that HermeticWizard is a worm component used to spread HermeticWiper in local networks.
IsaacWiper was used to attack organizations the day Russia began its invasion. According to Recorded Future, IsaacWiper is destructive malware that overwrites all physical drives and logical volumes on a computer.
There is no code overlap between IsaacWiper, HermeticWiper, or WhisperGate, despite the fact that they all seek to render devices inoperable.
CaddyWiper was rolled out on March 14, according to ESET then reused in an attack on a Ukrainian energy company on April 12, according to CERT-UA. The malware erases user data and separates information from all drives connected to a compromised machine.
All of the malware strains highlighted by CISA and the FBI have been brought to light by Microsoft and other researchers since Russia began its invasion of Ukraine.
Tom Burt, Microsoft’s vice president of security and customer trust, said he saw at least six Russian-aligned state actors launch more than 237 operations against Ukraine just before the invasion began.
Microsoft noted that Russia often uses cyberattacks alongside kinetic military operations targeting crucial civilian services and institutions.
“For example, a Russian actor launched cyberattacks against a major broadcasting company on March 1, the same day the Russian military announced its intention to destroy Ukrainian ‘disinformation’ targets and led a missile strike against a TV tower in Kyiv,” Burt explained.
“Since the beginning of the Russian invasion of Ukraine, Russian cyberattacks have been deployed to support the military’s strategic and tactical objectives. It is likely that the attacks we have observed represent only a fraction of the activity targeting Ukraine.
Burt urged government and critical infrastructure personnel to follow CISA guidelines and said they expected “cyberattacks to continue to escalate as the conflict rages.”
“Russian nation-state threat actors could be tasked with expanding their destructive actions outside of Ukraine to retaliate against countries that decide to provide more military assistance to Ukraine and take more punitive action against the Russian government in response to the continued aggression,” Burt said. added.