Cyberattacks in Ukraine have recommenced following the Russian invasion of Ukrainian territory. Ukrainian government agencies have also been hit with DDoS attacks that took their websites offline, in what appears to be an attempt to destabilize the country, and a new wiper malware has been identified that has been used on hundreds of targets in the country.
In contrast to ransomware, wiper malware’s sole purpose is the destruction of data to render operating systems inoperable. Once deployed, there is no option of recovering deleted data. Symantec said its Threat Hunter telemetry shows the wiper malware has been used in hundreds of attacks in Ukraine, and also in Latvia and Lithuania. ESET reports that the malware was compiled in late December, indicating these were premeditated attacks and in at least some of the attacks it would appear that the threat actors had access to the systems for some time before deploying the malware. After corrupting files, the malware forces a reboot which renders the device inoperable.
Russian Sandworm APT Group Replaces VPNFilter Malware
The U.S. Cybersecurity and Infrastructure Security Agency has issued a warning that the VPNFilter malware previously used by the Sandworm/Voodoo Bear Advanced Persistent Threat (APT) group – widely believed to be a cybermilitary unit of the Russian military intelligence agency (GRU) – has been replaced with a malware called Cyclops Blink. Sandworm has previously been responsible for several attacks serving Russian interests, including the NotPetya wiper malware attacks in 2017, the BlackEnergy attacks on the Ukrainian electricity grid in 2015, and more recently, disruptive cyberattacks in Georgia in 2019.
CISA says that like its predecessor, attacks involving Cyclops Blink appear to be indiscriminate and widespread. Cyclops Blink is described as “a large-scale modular malware framework which is targeting network devices,” and the malware has been in use since at least June 2019. “The malware itself is sophisticated and modular with basic core functionality to beacon device information back to a server and enable files to be downloaded and executed. There is also functionality to add new modules while the malware is running, which allows Sandworm to implement additional capability as required,” explained CISA.
President Biden Warns of Potential Attacks on U.S. Businesses and Local Government
President Biden has issued a warning to businesses and local governments in the United States about the risk of retaliatory cyberattacks by Russian threat groups after new sanctions have been imposed on Russian financial institutions, Russian sovereign debt, and Russian oligarchs and their families due to the recent Russian invasion of Ukraine.
According to CNN, the FBI has also issued a warning about the increased risk of ransomware attacks on businesses, local governments, and critical infrastructure and has advised them to take steps to prepare for potential attacks, including assessing how a ransomware attack could disrupt critical services. While the official line is there are no specific, credible threats to the United States at this time, it is possible that Russian-speaking cybercriminals may choose to step up their attacks on U.S targets.