Feds Advise 'Shields Up' as Russian Cyberattack DefenseAlert: Destructive Malware, If Further Unleashed, Would Put US Networks at Risk
The U.S. Cybersecurity and Infrastructure Security Agency and the FBI issued a joint advisory on Saturday pointing to Russian state-sponsored activity using WhisperGate and HermeticWiper malware to target Ukrainian organizations. The agency has also updated the Shields Up webpage to include recommendations for corporate leaders and actions to protect critical assets.
In the advisory, U.S. officials say that such destructive malware can present a direct threat to an organization’s daily operations, affecting the availability of critical assets and data. The advisory states that there is no credible threat to the United States at this time but warns all organizations to assess and bolster their cybersecurity.
Jen Easterly, director at CISA, says that in the wake of continued denial-of-service and destructive malware attacks affecting Ukraine and other countries in the region, CISA has been working hand in hand with partners to identify and rapidly share information about the malware that could threaten the operations of critical infrastructure in the U.S.
"Our public and private sector partners in the Joint Cyber Defense Collaborative (JCDC), international computer emergency readiness team (CERT) partners, and our long-time friends at the FBI are all working together to help organizations reduce their cyber risk," Easterly says.
The Wiper Menace
The advisory comes after the Microsoft Threat Intelligence Center on Jan. 15 disclosed that the destructive malware, known as WhisperGate, is being designed to target organizations in Ukraine and render targeted devices inoperable.
On Wednesday, several researchers, including SentinelLabs, disclosed details about malware known as HermeticWiper being used against organizations in Ukraine targeting Windows devices, manipulating the master boot record, which results in subsequent boot failure.
"The malware, known as WhisperGate, has two stages that corrupt a system's master boot record, displays a fake ransomware note and encrypts files based on certain file extensions. Although a ransomware message is displayed during the attack, Microsoft highlighted that the targeted data is destroyed, and is not recoverable even if a ransom is paid," the advisory says (see: Teardown: Fake Ransomware Targeting Ukrainian Government).
The name given to the malware by researchers, HermeticWiper, is based on it using a legitimate digital certificate - valid as of April 2021 - that was issued to a Cypriot video game design firm called Hermetica Digital (see: Wiper Malware Attacks Have Not Escaped Ukrainian Networks).
"At this time, we haven't seen any legitimate files signed with this certificate," says Juan Andrés Guerrero-Saade, a principal threat researcher at cybersecurity firm SentinelOne and an adjunct professor of strategic studies at Johns Hopkins School of Advanced International Studies, in the SentinalLabs report.
He says that like WhisperGate, HermeticWiper is designed to erase Windows devices and corrupt the master boot record of a hard drive.
The advisory recommends that executives and leaders review the advisory and assess their environment for probable malware delivery and ensuring appropriate contingency planning. The advisory further recommends implementation of common strategies and preparation in the event of a cyberattack.
'Shields Up' Update
CISA has updated the Shields Up webpage and created a new Shields Up Technical Guidance webpage that details other malicious cyber activity affecting Ukraine. The webpage now includes technical resources from partners to assist organizations against these threats.
"While there are no specific or credible cyber threats to the U.S. homeland at this time, Russia’s unprovoked attack on Ukraine, which has involved cyber-attacks on the Ukrainian government and critical infrastructure organizations, may impact organizations both within and beyond the region, particularly in the wake of sanctions imposed by the United States and our Allies. Every organization - large and small - must be prepared to respond to disruptive cyber activity," the updated Shields Up page says.
Shields Up is a public repository of information by the U.S. cyber defense agency CISA that helps organizations prepare for, respond to and mitigate the impact of cyberattacks. The information includes technical details about the latest malware that can be used to defend the organization and as a warning to prevent other organizations and entities from falling victim to a similar attack.
The agency also warns that such destructive malware can use popular communication tools to spread, including worms sent through email and instant messages, Trojan horses dropped from websites and virus-infected files downloaded from peer-to-peer connections. They also seek to exploit existing vulnerabilities on systems for quiet and easy access, the advisory says.
"Organizations should increase vigilance and evaluate their capabilities, encompassing planning, preparation, detection and response, for such an event."
The advisory also includes detailed guidance and considerations for an organization to address as part of its network architecture, security baseline, continuous monitoring and incident response practices.