admin

Ukraine Cyber Attack Bulletin

What Happened

On Friday January 14, 2022, in the aftermath of unproductive diplomatic meetings between Russia and the U.S. and NATO, malicious cyber attackers launched a massive attack against Ukrainian government websites. Approximately seventy websites were targeted, and several sites are impacted, including the Ministry of Foreign Affairs and Ministry of Education.

At this time, Ukrainian officials do not believe the webservers themselves were breached or any sensitive personal data was stolen. The malicious actors penetrated the Content Management System (CMS) of the websites which is responsible for publishing and editing content of the websites themselves. This enabled the defacement of Government sites.

Also Friday, Russia’s Federal Security Bureau announced that it had made a series of arrests of members of the REvil ransomware gang.

Update: On January 15, 2022, MSTIC (Microsoft Threat Intelligence Center) identified novel malware targeting multiple organizations in Ukraine. Named “WhisperGate” this “ransomware” is destructive and does not provide ability for recovery.

Why It’s Important

This incident is of concern as it represents an escalation of pressure on Ukraine and potentially the onset of hostilities against Ukraine by the Russian regime, the likely, actor behind this cyber attack. These types of attacks on a nation state including its government ministries is not just a cause for alarm for Ukraine, but also for Poland, the Baltic states and the entire NATO alliance. This type of cyber aggression is another indicator that Russia is integrating cyberwarfare into military planning and operations to achieve its tactical and strategic objectives while simultaneously appearing to distance itself from Russia-based ransomware attackers.

Update: Appearance of WhisperGate malware introduces a new element of cyber-warfare into Ukraine. The malware only masquerades as ransomware. Its true intent is to destroy the host computer. WhisperGate injects itself deep into computers during restart and there is currently no way to remove it once the infection begins. Once the computer is restarted, WhisperGate will overwrite massive amounts of files with no means of recovery.

What to do about it

Immediate Guidance

Financial organizations and businesses with a presence in Ukraine and it’s neighboring areas should be on high alert. Though only websites were defaced, these public-facing resources are common beachheads for advanced cyber operations.

Chertoff Group recommends the following:

  1. Review cyber defenses for signs of breach and probing
    • Review firewall and audit logs for anomalous activity
    • Review activity of administrative, service, and user accounts for potentially malicious activity such as command line usage or script execution
    • Triage alerts diligently, do not be complacent
  2. Review Incident Response and Recovery procedures and update as necessary
  3. Ensure recovery mechanisms are working as intended

4. Update: Scan your computer for IOCs (Indicators of compromise) found at :                  https://www.microsoft.com/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations

5. Ensure Anti-Virus solution is updated and able to detect WhisperGate malware

       6. Scan computers with Anti-Virus solution BEFORE restarting or shutting down. 


Applying Best Practice

More broadly, defenders can apply the following guidelines and best practices to address risks from disruptive cyber threats:

  • Threat-informed defense. The Chertoff Group recommends that security practitioners apply security controls based on anticipated adversary behavior and an assumption that a breach may already have occurred. If attackers have already breached your network, they may lay dormant as they observe your network and choose the best ransomware data to target. By understanding the anatomy of recent attacks and associated tactics, techniques, and procedures (TTPs), defenders can ensure risk-based defenses are in place. The MITRE Corporation’s Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK) framework can help through its library of mappings between TTPs and defensive countermeasure coverage.
  • Validating control effectiveness. Critical infrastructure owners & operators should also validate that defensive countermeasure are operating as intended. As more details emerge from Ukraine, defenders should ensure existing security controls are effective against identified TTPs.
  • Continuous Monitoring: Businesses and private organizations with a presence or operations in Ukraine should consider creating a continuous monitory capability to ensure that the broader enterprise is aware of situations and circumstances that may lead to increased cybersecurity threats.The Chertoff Group has deep experience helping organizations of all sizes rapidly implement threat and risk-informed cyber defenses. Contact info@chertoffgroup.com for more information.

 

 

 

Let's Talk.

Let's explore ways we can help you manage risk or position for strategic growth.

202.552.5280 | Mon. – Fri. 8:00 AM – 5:00 PM EDT