Cyber attacks in Ukraine

Data-wiper malware HermeticWiper was reportedly discovered on hundreds of machines on Ukrainian networks. As the malware was deployed directly from Window’s domain controllers, attackers may have had prolonged access prior to execution. In other attacks, another data-wiper malware WhisperGate was also reportedly discovered. Another malware CaddyWiper has been discovered targeting Ukraine; It erases user data and partition information from attached drives. Disruptive DDOS and website defacement attacks were also reported against Ukrainian government, military and economy.

The following is a list of notable incidents and related malware that has been identified so far:

Destructive malware attacks impacting organisations in Ukraine included WhisperGate in Jan 2022, FoxBlade (aka HermeticWiper/Hermetic Wizard) and SonicVote (aka HermeticRansom) in Feb 22. Lasainraw (aka IsaacWiper) was discovered in late Feb.  CaddyWiper is another wiper which can be delivered via GPO, targeting Ukraine. A new wiper malware was discovered to be targeting Russia, RURansom was originally suspected to be a ransomware because of its name, however, it has been revealed to irreversibly destroy encrypted files.

See Our Recommendations section on how to enhance cyber resilience against wiper malware.

Targeting Ukrainian government agencies, phishing emails deployed a file named ‘dovidka.zip’, which contained a Microsoft Compiled HTML help files ‘dovidkda.chm’.  When the malicious VBscript code in the file was executed, MicroBackdoor malware (CVE-20190541) was installed. 

A fake Windows (anti-virus) update (“BitdefenderWindowsUpdatePackage.exe”), described as “critical security update” to increase network security when installed, were distributed by phishing emails that impersonated Ukrainian government agencies. The downloaded file prompted users to install a ‘Windows Update Package”, leading to installation of Cobalt Strike beacons, GrimImplant malware, and GraphsSteel malspam.

A pro-Ukraine cyber-tool offered as a supposedly distributed denial-of-service (DDoS) tool on Telegram, to bring down Russian websites, was in fact an info-stealing malware which compromised the victims instead.

A compromised Ukrainian military email address was used to phish EU government employees who were involved in managing the logistics of refugees fleeing Ukraine, with malicious macro Excel file attachment which downloaded a Lua-based malware dubbed SunSeed.

Phishing emails related to the ongoing conflict lure victims to deploy AgentTesla RAT (remote administration tools), a formidable Malware-as-a-Service tool. Other RAT tools like Quasar RAT were dropped in emails within a zip file named Ukraine Report_Final.zip by unknown threat actors. RAT tools exfiltrate data such as credentials from software programmes, and perform screen capture and keylogging.

Ensign Posture & Monitoring

Ensign has stepped up monitoring operations as part of our ongoing vigilance and will advise users of any anomalous cyber activities detected. Please approach us if you require further assistance.

Our Recommendations

Reduce the likelihood of a cyber intrusion

• If your organisation has any business relations with Ukrainian organisations, take extra care to monitor, inspect, and isolate traffic from those organisations; closely review access controls for that traffic
  
  
• Take extra steps to assess unusual or unexpected network behaviours
  
  
• Organisations should take steps to harden their networks. These steps are effective against destructive and disruptive cyber attacks like how they are effective against ransomware. Find out more about Ensign's Anti-Ransomware Suite: click here
  
  
• Review and validate all remote access to your organisation’s network and privileged or administrative access requires multi-factor authentication
  
  
• Disable all ports and protocols that are not essential for business purposes; if the organisation is using cloud services, ensure strong access controls are implemented (https://www.cisa.gov/uscert/ncas/analysis-reports/ar21-013a)
  
  
• Ensure software is up-to-date, prioritising patches that address vulnerabilities. Increase vulnerability scanning to complement patch activities
  
  
• Implement thematic keyword monitoring for emails where possible to detect for any potential phishing campaigns
  
  
• In the observed wiper attacks, additional hardening configurations when enabled will bring more resilience to your organisation’s defences:
  
  
  • Tamper protection prevents common techniques observed to disable security protections on endpoints. (How to set tamper protection: https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/prevent-changes-to-security-settings-with-tamper-protection?view=o365-worldwide)
    
    
  • Controlled folder access allows only trusted apps to access protected folders. (How to set Controlled folder access - https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/enable-controlled-folders?view=o365-worldwide)

Quickly detect any potential cyber intrusion

• For publicly accessible IT assets, encourage low-threshold reporting and consistent logging of issues
  
  
• For WatchGuard firewall appliances which are identified as infected with Cyclops Blink, replace any passwords present on the device
  
  
• Refer to WatchGuard’s 4-Step Cyclops Blink Diagnosis and Remediation Plan (https://detection.watchguard.com/)
  
  
• A list of indicators of compromise (IoC) and Yara rules for Cyclops Blink are available in NCSC’s Cyclops Blink Malware Analysis Report (https://www.ncsc.gov.uk/files/Cyclops-Blink-Malware-Analysis-Report.pdf)

  Ensure that the organisation’s network is protected by antivirus/antimalware software and that signatures in these tools are updated

• A list of IoC for the destructive data-wiper malware WhisperGate and HermeticWiper are available in CISA’s alert (https://www.cisa.gov/uscert/ncas/alerts/aa22-057a)
  
  
• A technical analysis on the multiple infection vectors of the HermeticWiper malware and YARA rules to detect the malware is available in Insikt Group’s Malware/Tools Profile Report (https://go.recordedfuture.com/hubfs/reports/mtp-2022-0302.pdf)
  
  
• Based on the known Russian state-sponsored TTPs (https://www.cisa.gov/uscert/ncas/alerts/aa22-047a), look for behavioural evidence or network and host-based artifacts
  
  
  • Review authentication logs for system and application login failures of valid accounts. Look for multiple, failed authentication attempts across multiple logins
    
    
  • Look for logins with changing username, agent strings and IP address which do not align to the expected user’s geographic location
    
    
  • Look for processes and program execution command-line arguments that may indicate credential dumping, attempting to access or copy ntds.dit (contains Active Directory data) file from the domain controller.

    For Operational Technology (OT)/Industrial Control Systems (ICS):

    • Look out and investigate any unexpected equipment behavior, such as unexpected reboots of digitally controlled and other OT hardware and software

    • Record delays or disruptions in communication with field equipment or other OT devices.  Determine if system parts or components are lagging or unresponsive

• Refer to (https://blog.cyble.com/2022/03/11/ongoing-russia-ukraine-warfare-significant-cyber-incidents/) for IoCs on RuRansom, MicroBackdoor, dovidka.chm, RuRAT, QuasarRAT, AgentTesla, FormBook, DonationScam
  
  
• Refer to (https://www.proofpoint.com/us/blog/threat-insight/asylum-ambuscade-state-actor-uses-compromised-private-ukrainian-military-emails) IoCs on Sunseed malware
  
  
• Based on the observed wiper attacks, many have made use of known malware and intrusion tactics, techniques, and procedures (TTPs), look out for behavioural evidence or artifacts for:
  
  
  • Suspicious remote activity
    
    
  • Suspicious access to LSASS service
    
    
  • AV software settings modification
    
    
  • Suspicious remote activity
• If there are incidents that indicate one or more of the above listed indicators together, it is important that you prioritise the investigation of the affected devices/endpoints.

Be prepared on detecting a cyber intrusion

• If you detect potential cyber attack activities in the IT or OT networks:
  
  
  1. Immediately isolate affected systems
     
     
  2. Secure backups. Ensure your backup data is offline and secure.  If possible, scan your backup data with an antivirus program to ensure it is free of malware
     
     
  3. Collect and review relevant logs, data, and artifacts
     
     
  4. Consider support from subject matter expert, to ensure the actor is eradicated from the network
     
     
  5. Implement remediation measures such as removal of any potentially malicious artifacts, to avoid residual issues that could enable follow-on exploitation

Limit the impact of a destructive cyber attack

• Ensure backups are secured and isolated from network connections
  
  
• Test backup procedures to ensure that critical data can be rapidly restored if the organisation is impacted by ransomware or a destructive cyber attack
  
  
• For ICS and OT assets, organisations should have a cyber resilience plan that addresses how to ensure critical functions remain operable, if the organisation’s network is unavailable or untrusted

Ensign will continue to provide updates on this situation, and keep you informed of any additional recommendations. If you require further assistance, please contact us at marketing@ensigninfosecurity.com.

References:

1. https://www.bleepingcomputer.com/news/security/ukrainian-government-and-banks-once-again-hit-by-ddos-attacks
   
   
2. https://www.ncsc.gov.uk/files/Cyclops-Blink-Malware-Analysis-Report.pdf
   
   
3. https://www.watchguard.com/wgrd-news/blog/important-detection-and-remediation-actions-cyclops-blink-state-sponsored-botnet 
   
   
4. https://www.cisa.gov/uscert/ncas/alerts/aa22-054a
   
   
5. https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ukraine-wiper-malware-russia 
   
   
6. https://www.cfr.org/cyber-operations/sandworm
   
   
7. https://www.lrt.lt/en/news-in-english/19/1622863/cyber-spillover-from-ukraine-threatens-baltics-media
   
   
8. https://github.com/curated-intel/Ukraine-Cyber-Operations
   
   
9. https://securityintelligence.com/posts/new-destructive-malware-cyber-attacks-ukraine
   
   
10. https://go.recordedfuture.com/hubfs/reports/mtp-2022-0302.pdf
    
    
11.  https://threatpost.com/malware-posing-russia-ddos-tool-bites-pro-ukraine-hackers/178864/
    
    
12. https://threatpost.com/phishing-campaign-targeted-those-aiding-ukraine-refugees/178752/
    
    
13. https://portswigger.net/daily-swig/government-agencies-in-ukraine-targeted-in-cyber-attacks-deploying-microbackdoor-malware
    
    
14. https://www.bleepingcomputer.com/news/security/fake-antivirus-updates-used-to-deploy-cobalt-strike-in-ukraine/
    
    
15.  https://blog.cyble.com/2022/03/11/ongoing-russia-ukraine-warfare-significant-cyber-incidents/
    
    
16. https://blog.cyble.com/2022/03/11/new-wiper-malware-attacking-russia-deep-dive-into-ruransom-malware/
    
    
17. https://www.proofpoint.com/us/blog/threat-insight/asylum-ambuscade-state-actor-uses-compromised-private-ukrainian-military-emails