A warning has been issued by the Cybersecurity and Infrastructure Security Agency (CISA) to organizations in the United States to take steps to strengthen their defenses against wiper malware attacks following the recent cyberattacks in Ukraine.
The attacks in Ukraine involved a new wiper malware – dubbed Whispergate by Microsoft – that was used in attacks on multiple government, non-profit, and information technology organizations. Dozens of websites belonging to Ukrainian government agencies were also targeted and defaced. Ukraine has recently announced that the attacks are thought to have been coordinated and are part of an effort to cause damage to the infrastructure of state electronic resources. Ukraine also said it has found evidence that the attacks were conducted by a threat group tracked as UNC1151/Ghostwriter, which is a cyber-espionage group affiliated with Belarus. The malware is similar to wiper malware variants that have been used by Advanced Persistent Threat (APT) groups linked to Russian intelligence.
The Whispergate wiper malware has been used on companies and government agencies in Ukraine; however, there is a risk that the attacks may also be conducted on U.S. organizations with links to Ukraine or indeed any U.S. organization. Similar wiper malware – NotPetya – was used in attacks on organizations in Ukraine and caused significant damage to critical infrastructure. The NotPetya attacks in 2017 were also conducted globally and hit many U.S. companies causing significant and widespread damage.
Whispergate malware wipes the Master Boot Record (MBR) on Windows systems rendering the devices inoperable and displays a fake ransom note. The malware has no mechanisms that allow systems to be recovered even if the ransom is paid. Whispergate is a two-stage malware that first wipes the MBR and displays the ransom note and executes when the device is powered down. The second stage is a file corruptor, which is run in the memory and corrupts files in certain directories using hardcoded file extensions. The first stage bricks the device while the second stage ensures files cannot be recovered.
The CISA Insights bulletin details some of the steps U.S. organizations can take to strengthen their defenses against wiper malware attacks to reduce the likelihood of a successful attack, and guidance for quickly detecting an intrusion and improving resilience to attacks
To reduce the likelihood of a damaging cyberattack
- Validate that all remote access to the network and privileged/administrative access requires multi-factor authentication.
- Update all software and ensure vulnerabilities that are known to have been exploited are addressed first
- Confirm that all non-essential ports and processes are disabled
- Ensure that CISA guidance is followed for securing cloud services
- Sign up for CISA’s free cyber hygiene services
To detect a potential intrusion promptly
- Ensure the cybersecurity staff is focused on identifying and assessing unexpected and unusual network behavior
- Confirm the entire network is protected by antimalware software and the signatures are set to be updated automatically
- If the organization works with any Ukrainian organizations, ensure all traffic is monitored, inspected, and isolated, and closely review access controls for that traffic
Ensure a rapid response is possible
- Create a crisis response team with dedicated roles and responsibilities including technology, communications, and business continuity
- Ensure the availability of key personnel and that it is possible to provide surge support for responding to an attack
- Conduct exercises to ensure all members of the team are aware of their responsibilities should an incident occur
Improve resilience to destructive cyberattacks
- Test backups to ensure critical data can be restored in the event of an attack
- Ensure backups are isolated from network connections
- Conduct a test of manual controls for ICS and OT to ensure critical functions remain operational in the event of the network being unavailable.