This week, Russia sent its military to invade various parts of Ukraine at the country’s borders. This invasion, driven in part by Russia’s annexation of Crimea in 2014 and proclamation that two republics in the eastern part of the country – the Donetsk People’s Republic and the Luhansk People’s Republic as Russian territory – is an escalation that includes an aggressive cyberattack component.
Several Ukrainian banks and government departments have become completely inaccessible through distributed denial of service attacks (DDoS), activity of a new malicious wiper called “HermeticWiper” and another new malware called “Cyclops Blink.” Various threat intelligence sources are attributing this activity to Russian Advanced Persistent Threat Groups APT28, APT29 and Sandworm.
Current guidance from the Cybersecurity & Infrastructure Security Agency (CISA) states there is no credible intelligence regarding cyberattacks on U.S. organizations. Organizations should still continue to be vigilant, especially if they perform critical infrastructure roles or perform business operations with government entities or the country of Ukraine.
Phishing tends to be the most popular way bad actors deploy their malware. Here are two specific types of attacks we’ve seen Russia use:
HermeticWiper deploys a signed driver that releases a wiper to erase Windows devices after deleting shadow copies and manipulating the Master Boot Record (MBR). The telemetry of HermeticWiper shows the malware has been installed on hundreds of machines in Ukraine. The timestamp on the creation of the malware is Dec. 28, 2021, implying the attack may have been planned since at least then.
SentinelOne has released a review of HermeticWiper and states that SentinelOne users are protected against this threat and no action is required. Technical details and IOCs for HermeticWiper can be found here.
Cyclops Blink, suspected to be deployed by Sandworm, has currently been seen targeting WatchGuard devices, but likely could be modified to target others as well. If infected, Cyclops Blink persists on reboot and throughout the legitimate firmware update process.
WatchGuard has been working closely with the FBI, CISA and NCSC, and has provided tooling/guidance to enable detection and removal of Cyclops Blink on WatchGuard devices through a non-standard upgrade process. As of writing, it is estimated that ~1% of WatchGuard firewall appliances are affected.
WatchGuard has provided “simple and easy-to-implement” steps, Cyclops Blink detection tools, and a four-step diagnosis and remediation plan to help clients diagnose and remediate if necessary. That advisory/guidance can be found here.
Nuspire has multiple sources of intelligence across endpoints, network and cloud assets. We are actively threat hunting internally and across client devices for any indicators of compromise and will continue to hunt new IOCs as they become available. Our SOC is on a heightened alert and sensitive to the active hunts that are ongoing as part of our Nuspire services. As of writing, Nuspire has no known vulnerabilities to the mentioned threats.
It’s important to remain vigilant. Make sure you patch the systems that need to be patched. Now would also be a good time to implement any of the cybersecurity strategies you might have put on the backburner. You should also think about disabling all non-business critical services that are exposed to minimize attack vectors. And beware of emails with suspicious attachments/phishing lures, as these often are used as initial infection vectors.
Nuspire will continue to monitor the situation and provide any updates of credible threats as they emerge.