The U.S. Cybersecurity and Infrastructure Agency (CISA) has urged a “Shields Up” defense in depth approach, as Russian use of wiper malware in the Ukrainian war escalates. The Russian malware “HermeticWiper” and “Whispergate” are destructive attacks that corrupt the infected computers’ master boot record rendering the device inoperable. The wipers effectuate a denial of service attack designed to render the device’s data permanently unavailable or destroyed. Although the malware to date appears to be manually targeted at selected Ukrainian systems, the risks now escalate of a spillover effect to Europe and the United States particularly as to: (i) targeted cyber attacks including on critical infrastructure and financial organizations; and (ii) use of a rapidly spreading indiscriminate wiper like the devastating “NotPetya” that quickly moves across trusted networks. Indeed, Talos researchers have found functional similarities between the current malware and “NotPetya” which was attributed to the Russian military to target Ukranian organizations in 2017, but then quickly spread around the world reportedly resulting in over $10 billion dollars in damage. The researchers added that the current wiper has included even further components designed to inflict damage.
The CISA alert issued on February 26, 2022 warns that, “[d]estructive malware can present a direct threat to an organization’s daily operations, impacting the availability of critical assets and data. Further disruptive cyberattacks against organizations in Ukraine are likely to occur and may unintentionally spill over to organizations in other countries. Organizations should increase vigilance and evaluate their capabilities encompassing planning, preparation, detection, and response for such an event.” The United Kingdom’s National Cyber Security Centre (NCSC) has also issued an alert emphasizing, “Recent cyber activity in and around Ukraine fits with pattern of Russian behavior previously observed, including in the damaging NotPetya incident.” Our blogs consistently highlight the intersection of cybersecurity legal requirements and information security safeguards, and the importance of a risk based defense in depth, e.g., addressing risks from cyber threats in supply chain, Internet of Things (IoT) devices and related IoT standards, and remote workforce, employing NIST and other risk reduction frameworks. Regulatory obligations require a risk based approach to cybersecurity, and, right now, as highlighted by the CISA and NCSC guidance, the risk is higher than normal and escalating.
The defense in depth guidance provided by CISA and NCSC is comprehensive, but it is worth highlighting certain key steps to pay particular attention to right now given the current crisis:
- communicate to every employee the need to be hyper vigilant and on guard for phishing, smishing and other social engineering attacks. It is a good time to emphasize the cyber risks inherent to the organization from the Ukraine war, the increased possibility of targeted cyber attacks and to remind staff never to open untrusted links or email attachments. Advise employees to report any unusual activity immediately.
- ensure that backups are in place, logically and physically segregated from other systems, and fully tested, so that in the result of a wiper or other denial of service attack on the availability of systems and data, the organization is confident that operations can be restored. Review the organization’s Incident Response Plan now in light of the ongoing events in Ukraine.
- if a device becomes infected with a wiper, immediately disconnect the infected computer, laptop or tablet from all network connections, whether wired, wireless or mobile phone based. See NCSC Mitigating Malware Attacks.
- in urgent circumstances, if your organization becomes infected across multiple devices, consider whether to take the defensive measure of temporarily unplugging your network from the internet, including disabling core network connections to limit damage. Plan now for this possibility, considering the costs and benefits, because you may have to make an immediate decision (e.g., NotPetya spread around the globe jumping from trusted network to network at a rapid pace). See NCSC Steps to take if your organization is already infected.
- as part of your Incident Response Plan, have in place alternative means to communicate with your workforce if an incident occurs and you cannot use your email, voice over IP or other normal communication channels. This should be a key element in your planning.
- run an updated vulnerability scan on all internet facing systems, and as always, eliminate unneeded ports and services. CISA has published a list of the most commonly exploited vulnerabilities. Per NCSC guidance: “Perform an external vulnerability scan of your whole internet footprint and check that everything you need to patch has been patched. Internet-connected services with unpatched security vulnerabilities are an unmanageable risk.”
- have in place a plan in the event your supply chain is disrupted. Plan now for alternatives if one of your partners or suppliers suffers a wiper or other denial of service attack, resulting in unavailability of services.
- secure your Domain Name System (DNS) service – the Internet’s phonebook. Be prepared for a Denial of Service attack on your primary DNS. Also, your organization should be actively monitoring its DNS traffic for indicators of compromise, and also to track malware, including the source and endpoints infected. See our blog articles here and here, and presentation, and, e.g., CISA – Technical Approaches to Uncovering and Remediating Malicious Activity.
EBG is available to assist in connection with CISA’s and NCSC’s guidance and to prepare for future near term cyber risks: “While there are no specific or credible cyber threats to the U.S. homeland at this time, Russia’s unprovoked attack on Ukraine, which has involved cyber-attacks on Ukrainian government and critical infrastructure organizations, may impact organizations both within and beyond the region, particularly in the wake of sanctions imposed by the United States and our Allies. Every organization—large and small—must be prepared to respond to disruptive cyber activity.”
Any questions may be directed to the author.
Brian G. Cesaratto is a Certified Information Systems Security Professional (CISSP) and Certified Ethical Hacker (CEH).
 See Andy Greenberg. The Untold Story of NotPetya, the Most Devastating Cyberattack in History. Wired (August 22, 2018).