Recent data-wiping attacks, targeting Ukrainian government agencies and businesses, prompted the release of a CISA Insights Bulletin urging U.S. organizations to strengthen their cybersecurity defenses.  In what felt like coordinated attacks last Friday, the data-wiping malware (masquerading as ransomware) hit Ukrainian government organizations and was quickly followed by an aggressive unattributed cyber attack on Ukrainian government sites.

🛡.@CISAgov advises organizations of all sizes to take immediate steps now to protect themselves against potential cyber threats. Check out our latest Insights for details: https://t.co/FMJaE7Q3uh pic.twitter.com/hzYEU51Q1R

— Jen Easterly🛡️ (@CISAJen) January 18, 2022

To clarify:  This CISA Insights Bulletin is in addition to the Joint Cybersecurity Advisory (CSA) from CISA, FBI, and NSA: Russian State-Sponsored Cyber Threats to U.S. Critical Infrastructure, dated January 11, 2022.

These announcements are very much aligned with our risk awareness coverage of the current tensions in Ukraine and the role of cyber and information threat vectors in gray-zone conflicts.

The CISA Insights Bulletin was released on Tuesday and contextualizes the threat this way:

Every organization in the United States is at risk from cyber threats that can disrupt essential services and potentially result in impacts to public safety. Over the past year, cyber incidents have impacted many companies, non-profits, and other organizations, large and small, across multiple sectors of the economy

Most recently, public and private entities in Ukraine have suffered a series of malicious cyber incidents, including website defacement and private-sector reports of potentially destructive malware on their systems that could result in severe harm to critical functions. The identification of destructive malware is particularly alarming given that  similar malware has been deployed in the past—e.g., NotPetya and WannaCry ransomware—to cause significant, widespread damage to critical infrastructure.

This CISA Insights is intended to ensure that senior leaders at every organization in the United States are aware of critical cyber risks and take urgent, near-term steps to reduce the likelihood and impact of a potentially damaging compromise. All organizations, regardless of sector or size, should immediately implement the steps outlined below.

WhisperGate Malware Attack

The Microsoft Threat Intelligence Center (MSTIC)  provided an initial incident report on December 15th – Destructive malware targeting Ukrainian organizations – Microsoft Security Blog:

“While our investigation is continuing, MSTIC has not found any notable associations between this observed activity, tracked as DEV-0586, and other known activity groups. MSTIC assesses that the malware, which is designed to look like ransomware but lacking a ransom recovery mechanism, is intended to be destructive and designed to render targeted devices inoperable rather than to obtain a ransom.”

WhisperGate ransomware note
Source:  Bleepingcomputer.com

The new malware, known as ‘WhisperGate’, deploys a two-stage attack:

1. The first component, named stage1.exe, is launched from the C:PerfLogs, C:ProgramData, C:, or C:temp folders that overwrites the Master Boot Record to display a ransom note.
2. The second component, named stage2.exe, is executed simultaneously to download a data-destroying malware named Tbopbh.jpg hosted on Discord that overwrites targeted files with static data.

Microsoft also provided a broad perspective on the ongoing geopolitical events in Ukraine:  “The malware is disguised as ransomware but, if activated by the attacker, would render the infected computer system inoperable. We’re sharing this information to help others in the cybersecurity community look out for and defend against these attacks.  The organizations affected by this malware include government agencies that provide critical executive branch or emergency response functions and an IT firm that manages websites for public and private sector clients, including government agencies whose websites were recently defaced.”

Ukrainian Website Defacement Attack

In a recent interview, Serhii Demediuk, the Deputy Secretary of Ukraine’s National Security and Defense Council, assesses this portion of the coordinated cyberattack in this manner:

“It is still difficult to accurately assess the level of damage caused by this attack, as measures are being taken to contain it. But we can already say with confidence that for us essentially it could not lead to serious consequences. However, the informational narratives that accompanied this attack indicate that this was a red herring to cover up for more destructive actions, which, in my opinion, we will feel in the near future. And, with high probability, this may be in the energy sector.

Since the vulnerabilities used for the attack on January 14 are also present in some energy enterprises, however, they were not hit. At the same time, the active scanning and testing of the network infrastructure of energy enterprises that day were unprecedented. And there are also many other indicators that have been recorded as evidence of this threat.

I can also assume that a subsequent attack may occur simultaneously with the intensification of military aggression against Ukraine.” (2)

I published an assessment of what we currently know/don't know about the cyberattacks against Ukraine. Includes new info and some analysis. Also tried to detail how the wiper works, but Microsoft's blog was a bit confusing. Let me know if I got it wrong. https://t.co/CrRkU9HV4K

— Kim Zetter (@KimZetter) January 17, 2022

The independent investigation from cybersecurity reporter Kim Zetter in her Zero-Day newsletter is the most thorough and updated assessment of the website defacement attack.

Russian Attribution?

Zetter notes that some details about the attack are still very murky, such as who was behind the attack and the number of threat actors involved in the operation.  A statement from the Ukrainian Ministry of Digital Transformation, however, did place the blame on Russian hackers.

Log4Shell?

The Record provides some reporting on a potential Log4Shell angle of the story:

On Monday, the Ukrainian Cyber Police and the Ukrainian Security Service said they were tracking three potential intrusion vectors that attackers could have used to pull off last week’s attacks:

• The exploitation of a vulnerability in the October CMS platform, which the Ukrainian government had used for some of the defaced websites;
• The compromise of employee accounts at a private company that provided the Ukrainian government with managed IT services;
• The use of the Log4Shell vulnerability to gain access to some of the compromised systems. (1)

It is unclear from the statements whether Ukrainian law enforcement has any evidence of the use of the Log4Shell vulnerability or if they are using the pervasiveness of the Log4j issue as cover for now until they are able to announce a clearly evidentiary attribution.

What’s Next?

Reduce the likelihood of a damaging cyber intrusion:

• Validate that all remote access to the organization’s network and privileged or administrative access requires multi-factor authentication.
• Ensure that software is up to date, prioritizing updates that address known exploited vulnerabilities identified by CISA.
• Confirm that the organization’s IT personnel have disabled all ports and protocols that are not essential for business purposes.
• If the organization is using cloud services, ensure that IT personnel have reviewed and implemented strong controls outlined in CISA’s guidance.
• Sign up for CISA’s free cyber hygiene services, including vulnerability scanning, to help reduce exposure to threats.

Take steps to quickly detect a potential intrusion:

• Ensure that cybersecurity/IT personnel are focused on identifying and quickly assessing any unexpected or unusual network behavior. Enable logging in order to better investigate issues or events.
• Confirm that the organization’s entire network is protected by antivirus/antimalware software and that signatures in these tools are updated.
• If working with Ukrainian organizations, take extra care to monitor, inspect, and isolate traffic from those organizations; closely review access controls for that traffic
• Designate a crisis-response team with main points of contact for a suspected cybersecurity incident and roles/ responsibilities within the organization, including technology, communications, legal and business continuity.
• Assure availability of key personnel; identify means to provide surge support for responding to an incident.
• Conduct a tabletop exercise to ensure that all participants understand their roles during an incident.

Maximize the organization’s resilience to a destructive cyber incident:

• Test backup procedures to ensure that critical data can be rapidly restored if the organization is impacted by ransomware or a destructive cyberattack; ensure that backups are isolated from network connections
• If using industrial control systems or operational technology, conduct a test of manual controls to ensure that critical functions remain operable if the organization’s network is unavailable or untrusted.

Resources for the C-Suite and Crisis Management Team:

Twitter List For Tactical Information: This Twitter list of vetted resources that have reported accurately on tactical moves in the Ukrainian theater can be used to quickly capture the gist of a dynamic military situation.

C-Suite Guide: Improving Cybersecurity Posture Before Russia Invades Ukraine: The capabilities of Russia to conduct cyber espionage and cyber attack have been battle tested and are hard to thwart even during daily “peacetime” operations. They include well resourced capabilities of the military and intelligence services and also deep technical expertise in the Russian business ecosystem and in organized crime which operates as part of Russian national power. Proof points of Russian capabilities include the massive and sophisticated Solar Winds attacks which leveraged low and slow, well thought out plans to achieve access to multiple well-protected targets. Ransomware successes by Russian based criminal networks are also instructive as to the capability of Russian cyber threat actors. The use of malicious self replicating code (worms/virus/trojan) to spread malicious code into infrastructure is also well proven with decades of practice including fielding software that replicates from unclassified to classified systems in the military and spreads throughout critical infrastructure. This post goes beyond an articulation of the threat into recommendations leaders seeking to mitigate cyber threats from Russia including threats before, during and after a Ukraine invasion.

What The C-Suite Needs To Know About The Threat To Space Based Systems (and what to do about it): OODA recently updated the analysis below on threats to space based assets (with a focus on what the C-Suite needs to know) because of tensions with Russia and continued testing of satellite destruction capabilities the most recent of which (Nov 2021) caused significant increases in dangerous space debris.  We recommend this be read in conjunction with our report on what the C-Suite needs to know about the cybersecurity threats due to the coming Russian invasion of Ukraine, see links in the document for more.

Will China Replicate Russia’s Cyber Offensives in a Taiwan Reunification?: The current situation in the Ukraine has garnered the world’s attention with stakeholders watching attentively as the crisis unfolds. Such regional hotspots have the potential of spilling over into neighboring countries and pulling in governments from all over the world in some capacity. The threat of armed conflict escalating into a major global engagement is always a possibility. China and Taiwan are eagerly watching the crisis as well, but largely for different reasons. While Taiwan is interested to see how friendly governments come to Ukraine’s aid, China is observing how Russia may go about reclaiming territory of the former Soviet Union, in the attempts of gaining insight into how such an act can be accomplished successfully, should Moscow do just that.

A Warning for the U.S. Chip Industry: Russian Retaliation Could Hit Supply of Key Materials: Russia may retaliate against the U.S. threat of trade sanctions and export curbs by blocking access to key materials like neon and palladium. Ukraine supplies over 90% of U.S. semiconductor-grade neon. This type of supply chain-based retaliation has become a priority concern for the White House, which is encouraging a broad diversification of the supply chain in the event Russia limits access to these key materials.

Russia’s Long Game, Leadership Lessons, and Learning from Failure: In February of 2021, Matt Devost spoke to Rob Richer, a highly regarded advisor to international executives and global government leaders including several heads of state. Rob has a well-informed perspective on international risks and opportunities and an ability to analyze and distill observations in a way that is meaningful for your decision-making process. In light of the conditions in Europe, this portion of their initial OODAcast conversation is timely and includes a discussion of Richer’s time as the head of CIA Russian Operations, his perspective on U.S./Russian relations (especially the role of cyber), leadership, the role of failure, and decision-making.

Charity Wright on China’s Digital Colonialism: Charity Wright is a Cyber Threat Intelligence Analyst with over 15 years of experience at the US Army and the National Security Agency, where she translated Mandarin Chinese. Charity now specializes in dark web cyber threat intelligence, counter-disinformation, and strategic intelligence at Recorded Future. Her analysis has provided deep insights into a variety of incidents, activities and strategic moves by well resourced adversaries, primarily actors operating in China.

The January 2022 OODA Network Member Meeting: Putin, Russia, Gray Zone Conflict Capabilities and The Future of Europe: To help members optimize opportunities and reduce risk, OODA hosts a monthly video call to discuss items of common interest to our membership. These highly collaborative sessions are always a great way for our members to meet and interact with each other while talking about topics like global risks, emerging technologies, cybersecurity, and current or future events impacting their organizations. We also use these sessions to help better focus our research and better understand member needs.

CISA Insights Bulletin Urges U.S. Preparation for Data Wiping Attacks :In what felt like coordinated attacks last Friday, data-wiping malware (masquerading as ransomware) hit Ukrainian government organizations and was quickly followed by an aggressive unattributed cyber attack on Ukrainian government sites. The attacks prompted the release of a CISA Insights Bulletin urging U.S. organizations to strengthen their cybersecurity defenses.

Additional Context on OODA Reporting on Russia’s Military-Technical Maneuvers in Europe: We are conscious of our need to keep our usual variety of News Brief and OODA Analysis, but for obvious reasons, this week is top-heavy with Russian, NATO, and Ukrainian coverage. We intend on keeping our focus on providing context you need vice the blow by blow of major moves. Like in other domains we endeavor to provide the “So What?” and “What’s Next?” you need to help drive your decisions.

OODA Research Report- The Russian Threat: This special report captures insights into the capabilities and intent of the Russian Threat, with a special focus on the cyber domain. Our objective: provide insights that are actionable for business and government leaders seeking to mitigate risks through informed decisions.