U.S. warns about threat of wiper malware being used beyond Ukraine

Join today’s leading executives online at the Data Summit on March 9th. Register here.

The FBI and CISA have issued a warning about the possibility that data-wiping malware observed in Ukraine might end up impacting organizations outside the country.

Ukraine, which has been under unprovoked attack by Russia since Thursday, has been struck with a series of wiper cyberattacks since January.

In a joint advisory, the FBI and CISA (the federal Cybersecurity and Infrastructure Security Agency) cited the wiper attacks against Ukrainian government agencies in January, known as WhisperGate, and those last week against Ukraine’s defense ministry, known as HermeticWiper.

Data-wiping malware can “present a direct threat to an organization’s daily operations, impacting the availability of critical assets and data,” the agencies said in the joint advisory, posted on the CISA website.

“Further disruptive cyberattacks against organizations in Ukraine are likely to occur and may unintentionally spill over to organizations in other countries,” CISA and the FBI said in the advisory. “Organizations should increase vigilance and evaluate their capabilities encompassing planning, preparation, detection, and response for such an event.”

The advisory includes details on the wiper malware that has been researched to date, along with indicators of compromise (IOCs) aimed at helping detection and prevention of wiper malware.

On CISA’s separate “Shields Up” page, the agency continues to hold that “there are no specific or credible cyber threats to the U.S. homeland at this time” in connection with Russia’s actions in Ukraine.

Wiper attacks

In January, the wiper malware known as WhisperGate was deployed against a number of Ukrainian agencies. Ukraine has blamed Russia for those attacks.

Last Wednesday, the Ukrainian defense ministry and private sector businesses were hit with the destructive malware, just prior to the Russian invasion. That wiper has been referred to as “HermeticWiper” by researchers, and in some cases included ransomware as a “decoy or distraction,” researchers at Symantec said.

The Washington Post and VentureBeat reported Sunday that data-wiping malware hit a Ukraine border control station over the weekend, forcing border agents to process refugees fleeing the country with pencil and paper and contributing to long waits for crossing through the station into Romania.

The wiper cyberattack appears to have only impacted the Ukrainian border control, and not the Romanian station, according to a cybersecurity expert, Chris Kubecka, who spoke with agents at the border crossing. The Ukraine border control was verifying those leaving the country because of the requirement that males ages 18 to 60 remain in Ukraine, Kubecka said.

The State Border Guard Service of Ukraine and the Security Service of Ukraine did not respond to email requests for comment from VentureBeat.

Increased risks

For western nations, cyber experts are warning of an increased risk of cyberattacks from Russia, as the attacks on Ukraine continue and the west responds with stiff sanctions. As is well known, both the Russian government itself and affiliated cybercriminal gangs possess significant cyberattack capabilities — and Russia has a history of using them in geopolitical contexts. Authorities in the U.S. and U.K. blamed Russia for massive distributed denial-of-service (DDoS) attacks in Ukraine earlier this month.

In assessing the size and scope of Russia’s military campaign in Ukraine, “this attack has been in the planning for years,” said Eric Byres, CTO of cyber firm aDolus Technology, in an email. “Efforts to prepare their cyber campaign will have matched the efforts on the ground, so you know that Russia will have cyberattack resources that match their military ones.”

In particular, Russian threat actors have almost certainly compromised software supply chains that we don’t know about yet, according to cyber experts. And in any cyberwar maneuvers targeting the west, they might opt to utilize this access.

“I’m willing to bet that the Russians haven’t used even a fraction of the bullets in their cyber arsenal,” Byres said.

Originally appeared on: TheSpuzz