Russia's invasion of Ukraine has been characterized by strategic and significant use of cyberattacks to support its military objectives. In the days to come, there is likely to be a sharp increase in cyberthreat activity globally and leading organizations must be prepared for the ripple effects that spill out of the conflict.
Throughout the start of 2022, Russia has pressured Ukraine against joining the North Atlantic Treaty Organization (NATO) which would grant them access to powerful military allies. After conducting multiple cyber-attacks against Ukrainian networks, the Russian military is now executing a military assault on Ukraine, invading from multiple directions. This conflict has resulted in a significant increase in cybersecurity threats worldwide and will likely trigger an escalation in cyber-attacks on organizations everywhere. The Ankura Cyber Threat Investigations and Expert Services (CTIX) team is continuously monitoring and analyzing the global cyber threat landscape and is supplying this content to provide specific insights for organizations to help them proactively prepare and be ready to defend their environments and avoid operational disruptions.
How Did Russia Leverage Cyberattacks for its Invasion?
On January 26, 2022, Computer Emergency Response Team of Ukraine (CERT-UA) released a report stating that between January 13th and 14th multiple websites of state organizations were tampered with by Russia, resulting in content alteration and system destruction.[1] The attack, now known as WhisperGate, gained access through the supply chain, and through the abuse of the vulnerabilities OctoberCMS and Log4j.[2] The malware itself is made up of three components: BootPatch, WhisperGate, and WhisperKill. Similar to the WhisperGate attacks, on February 23, 2022, ESET and Broadcom’s Symantec discovered a second data wiper malware.[3] This malware, dubbed HermeticWiper (KillDisk.NCV), has been used to target hundreds of additional machines. HermeticWiper is a custom application designed to wipe local data, as well as damage the master boot record of the hard drive, preventing the system from booting into the operating system, which is nearly identical to how the BootPatch section of the WhisperGate attack works. At the time of publication, HermeticWiper has been seen primarily in Ukraine, but data wiping attacks in Latvia and Lithuania have also been identified. The United Kingdom and United States governments have also identified Cyclops Blink, a new malware from Sandworm (a Russian military cyber unit) that would allow for threat actors to gain remote access to networks and utilize the affected networks as a part of Distributed Denial of Service (DDoS) attacks.
What to Expect Moving Forward
CTIX analysts predict a rapid and sustained increase in cyberattacks domestically and internationally. With the impending sanctions the United States and NATO allies are imposing on Russian entities, the rapid escalation of ransomware attacks throughout varying industries is likely to return with aggression and a heightened level of sophistication. Victims of upcoming ransomware attacks may face yet another challenge due to the potential of threat actors "double-dipping" their targets. This refers to when threat actors receive ransom payment from a victim, decrypt a portion of the compromised assets, then demand another payment to continue. In addition to ransomware increases across all industries, the critical infrastructure organizations particularly need to be prepared for cyberattacks and ensure that their technological infrastructure is secured, monitored, and prepared to respond rapidly and effectively to minimize damage. Lastly, analysts warn of massive DDoS attacks making a significant comeback against companies worldwide. Threat actors have been known to cripple entire networks for weeks, rendering internet services inoperable until the flood of network packets subside. The return of these attack vectors is inevitable and will be at the hands of ruthless threat actors whose alliances fall with the enemy.
Seven Practical Steps to Increase Cyber Resilience
CTIX urges organizations to implement the following hardening techniques:
- Ensure that their incident response plan and playbooks are up to date and ready for execution
- Bolster threat intelligence capabilities to ensure awareness of this dynamic situation
- Harden internet-facing servers and applications
- Review all third-party vendors and their permitted privileges
- Monitor email traffic for phishing links and malicious documents
- Institute multi-factor authentication (MFA) on all user accounts enterprise-wide
- Ensure backups are present and working in the case of data wiping attack
The Ankura Cyber Threat Investigations and Expert Services (CTIX) team is actively monitoring and will be providing a technical deep dive into the unfolding cyber risk crisis and specific threat actor group tactics, techniques, and procedures in the next edition as well as the impact of the Ukrainian/Russian crisis on cyber security globally.
[1] https://cert.gov.ua/article/18101
[2] https://passle-net.s3.amazonaws.com/Passle/602651b953548812c0fa5fe2/MediaLibrary/Document/2021-12-14-08-10-21-892-Ankura-Log4j-VulnNotification.pdf
[3] https://twitter.com/ESETresearch/status/1496581903205511181
