Wiper Malware Attacks Have Not Escaped Ukrainian NetworksExperts: Don't Catastrophize, Do Remain Focused on Essential Cybersecurity Defenses
Don't indulge in cyberattack doomsday scenarios over Ukraine. But do stay prepared by continuing to focus on the cybersecurity basics, including backups, redundancy, watching for ransomware and maintaining ready-to-go incident response plans.
That's a repeat warning being sounded by cybersecurity and intelligence experts in the wake of Russia's Thursday morning invasion of Ukraine (see: Russia's Invasion of Ukraine Triggers Resiliency Reminders).
Russia remains unlikely to directly target NATO members with cyberattacks, experts say. To do so would draw Western governments further into the conflict and could lead to unpredictable escalation. "Cyberattacks can be devastating things, but they don't compare to surface-to-surface missiles landing on suburbs of Kyiv," Alex Younger, the former head of Britain's Secret Intelligence Service, said at a Wednesday conference, Financial Times reported.
Younger cautioned against dwelling on extreme cybersecurity scenarios. "The catastrophization of the problem is not particularly helpful," he said.
Indeed, over-dramatizing problems can leave defenders feeling disempowered, says Victoria Baines, a visiting fellow at Bournemouth University's School of Computing and former member of Europol's European Cybercrime Center (see: Why Today's Security Rhetoric Is Harmful and Must Change).
"Characterization of cybercrime and cyber threats as 'cyberwar,' 'cyber Pearl Harbor' and the like compound the perception that they are entirely out of ordinary people's control to prevent, when we know that basic digital hygiene is key to countering much of the volume," Baines tweets.
"That is not to dismiss all cyber threats as low-level or frivolous," she says, but "critical thinking and judgement" can be used to assess not just cybersecurity risks, but also the inevitable disinformation operations and fake news the conflict is already generating.
Risk of Collateral Damage
One ongoing cyberthreat risk that experts are closely tracking is that Russian President Vladimir Putin might order an escalation in online attacks or cyber sabotage targeting Ukraine, which could get out of control and cause collateral damage on a global scale.
To minimize the risk posed by attacks spreading from Ukrainian networks, the threat research team at U.S. cybersecurity firm Secureworks recommends that organizations with any IT operations or connections that touch on Ukraine immediately isolate them.
"Due to the rapidly deteriorating security situation in Ukraine and the speed at which cyberattacks can unfold, customers are strongly advised to consider logically separating business operations located in Ukraine from other global networks," Secureworks says in a security advisory. "This includes severing any persistent VPN connections or remote network shares to suppliers or business partners with operations located in Ukraine. Organizations with operations in Ukraine should also prepare for continuity of operations in the case of power disruptions or loss of other business-critical services."
Cybersecurity firm Trellix's lead scientist for threat intelligence, Christiaan Beek, and head of cyber investigations John Fokker have urged organizations to review and follow Western cybersecurity agencies' guidance for essential defenses, since these help blunt all manner of cyberattacks, including ones that might get out of control.
"We counsel vigilance in the spirit of Shields Up," they say, referring to the U.S. Cybersecurity and Infrastructure Security Agency's advice for basic defenses that all organizations should always maintain.
Likewise, Baines recommends organizations follow guidance issued by Britain's National Cyber Security Center, specifically focused on actions businesses can take when there is a heightened cyberthreat.
The NCSC's guidance advocates not only reviewing patching, access controls, logging and monitoring, backups and incident response plans, but also communications. "Ensure that other teams understand the situation and the heightened threat," the NCSC says. "Getting buy-in from the rest of the business is crucial."
WhisperGate and HermeticWiper
On the threat intelligence front, at least so far, collateral damage of the cyber variety - as in, spilling out of Ukraine - appears to be nil.
Starting Wednesday, Ukrainian government sites and financial services firms were again being repeatedly targeted by distributed denial-of-service attacks, as well as with wiper malware. That followed previous DDoS attacks, as well as the use of WhisperGate malware against Ukrainian government systems in mid-January.
This week, attacks using WhisperGate and the new HermeticWiper malware have been seen (see: White House Denies Mulling Cyber Strikes on Russia).
Breaking. #ESETResearch discovered a new data wiper malware used in Ukraine today. ESET telemetry shows that it was installed on hundreds of machines in the country. This follows the DDoS attacks against several Ukrainian websites earlier today 1/n— ESET research (@ESETresearch) February 23, 2022
HermeticWiper was first detailed by teams at cybersecurity firms Symantec and ESET and quickly analyzed by other security teams.
HermeticWiper was spotted in the wild on Wednesday at 5 p.m. Eastern European Standard Time, ESET said in a blog post. "The wiper's timestamp, meanwhile, shows that it was compiled on Dec. 28, 2021, suggesting that the attack may have been in the works for some time."
ESET reported that "hundreds of machines" in Ukraine appeared to have been infected by the wiper malware.
Legitimate Digital Certificate
The HermeticWiper name given to the malware, imbued by researchers, is based on it using a legitimate digital certificate - valid as of April 2021 - that was issued to a Cypriot video game design firm called Hermetica Digital.
"At this time, we haven't seen any legitimate files signed with this certificate," says Juan Andrés Guerrero-Saade, a principal threat researcher at cybersecurity firm SentinelOne and an adjunct professor of strategic studies at Johns Hopkins School of Advanced International Studies, in a research report.
He says that like WhisperGate, HermeticWiper is designed to erase Windows devices and corrupt the master boot record of a hard drive.
The owner of Hermetica Digital, Polis Trachonitis, told Reuters that he has no connection to Russia, has never tried to obtain a digital certificate, and provides storylines for video games. "I don't even write the code - I write stories," he tells Reuters.
Wiper Malware Isn't Self-Propagating
The wiper malware appears to remain contained in Ukraine.
"The information available so far indicates that the wiper activity reported in Ukraine has been specifically targeted at Ukrainian government entities and financial services," Secureworks says.
HermeticWiper also appears to have been used against "two contractors in Latvia and Lithuania that provide services to the Ukrainian government," the Unit 42 threat research team at cybersecurity firm Palo Alto Networks says.
But CrowdStrike, which refers to the malware as DriveSlayer, says that "the binary does not make network connections" and that "current iterations of DriveSlayer do not have self-propagation mechanisms."
The Photon Research Team at threat intelligence firm Digital Shadows says the malware "was deployed directly from Windows domain controllers, indicating it is realistically possible that attackers may have had prolonged access prior to execution," and had obtained administrator credentials for victim organizations' Active Directory installations.
Trellix's Beek and Fokker likewise report seeing no indications that any version of the wiper malware has spread in an uncontrolled manner.
We are continuing to monitor the wiper #malware activity in #Ukraine. Our detection and analysis of these attacks suggests the same organizational networks and critical sectors impacted by #WhisperGate should be preparing for attacks from #HermeticWiper.— Trellix Labs (@TrellixLabs) February 24, 2022
They also say that unlike the NotPetya wiper malware deployed by Russia against Ukraine in 2017, WhisperGate and HermeticWiper appear to have no wormlike capabilities, meaning they don't appear to be designed to spread between infected endpoints on their own.
"While we are monitoring for indications that these attacks are spilling over into other countries, we advise caution in the heat of crisis against misreading what could be false positives as evidence of a NotPetya-type outbreak," they say. "This is a time for clear heads and strong hearts."