Malware, Vulnerability Management, Threat Intelligence

CISA, FBI to US firms: prepare for Ukraine wipers

Jen Easterly, left, director of the Homeland Security Cybersecurity and Infrastructure Security Agency, and Chris Inglis, national cyber director, testify during their confirmation hearing before the Senate Homeland Security and Governmental Affairs Committee on June 10, 2021, in Washington. Federal cybersecurity officials made the case for why the...

The Cybersecurity and Infrastructure Security Agency and the FBI issued a joint alert Saturday warning that the two wiper strains that attacked Ukrainian enterprises in the run-up to Russia's invasion of the country could affect United States businesses. The agencies urged preparedness.

"Further disruptive cyberattacks against organizations in Ukraine are likely to occur and may unintentionally spill over to organizations in other countries. Organizations should increase vigilance and evaluate their capabilities encompassing planning, preparation, detection, and response for such an event," the alert writes.

Ukraine has been hit by two strains of wiper malware in distinct attacks since the beginning of the year. In January, Microsoft reported WhisperGate. On Wednesday, in the hours before the invasion, ESET reported HermeticWiper. The wipers were not the only form of cyberattacks seen in Ukraine since the beginning of the year; attackers launched two rounds of coordinated DDoS and SMS spam against the country as well.

The United States has not formally attributed the wiper attacks to Russia, though the CISA and FBI alert connects the attacks to the "unprovoked [kinetic] attack against Ukraine." That is not an attribution, as actors inspired but not directed by Russia could hypothetically be behind the attacks.

According to reports from Broadcom's Symantec division, the CISA and FBI fears wiper attacks might reach beyond Ukraine — either intentionally or accidentally — are founded. Though ESET's telemetry found "hundreds" of victims in Ukraine, Symantec found limited instances in enterprises hit in Latvia and Lithuania.

The CISA and FBI report contains hashes for both strains of wiper, links to the reports from ESET, Symantec and SentinelLabs detailing the malware, including its internals, and advice about how to prepare for potential wiper attacks.

The alert warns that, given the wiper's ability to spread, "it is important for organizations to assess their environment for atypical channels for malware delivery and/or propagation throughout their systems," namely third-party risk — including the risk from antivirus software itself.

It advises that wipers may disable critical components of a network intended to mitigate their wiping, including network storage devices. The alert further urges "targeted assessment and enforcement of best practices," including a secure network topology, identity management, staggering antivirus update times across the network to limit the risk of a malicious update, as well as general hardening of networks and disaster preparation.

"Organizations are encouraged to report incidents to the FBI and CISA...and to preserve forensic data for use in internal investigation of the incident or for possible law enforcement purposes," writes the alert, which includes a contact form to submit information.

In a statement to the press about the alert FBI Cyber Division Assistant Director Bryan Vorndran said the FBI needed the cooperation of enterprises to maximize security.

"We are striving to disrupt and diminish these threats, however we cannot do this alone, we continue to share information with our public and private sector partners and encourage them to report any suspicious activity. We ask that organizations continue to shore up their systems to prevent any increased impediment in the event of an incident," he said.  

Joe Uchill

Joe is a senior reporter at SC Weekly, focused on policy issues. He previously covered cybersecurity for Axios, The Hill and the Christian Science Monitor’s short-lived Passcode website.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.