UPDATE: Ukrainian Cyber Attacks Heightened Due To Global Conflicts
In the ongoing conflict between Russia and Ukraine, security experts have been observing cyberattacks targeting Ukrainian government departments with overwhelming levels of Internet traffic and data-wiping malware. Upon further analysis, the Ukrainian government has found software and tactics linked to Russian threat actors. To help organizations outside of Ukraine that may be affected, government agencies have published advisories which provide guidance for preventing, detecting, and responding to these cyber-intrusions.
What Is The Threat?
As tensions escalate between Russia and Ukraine, two new malware threats have surfaced, infecting numerous computers in the region. Labeled as “Cyclops Blink” and “WhisperGate”, these two threats are pieces of malicious software that have impacted Ukrainian government agencies and organizations with alleged links to Russian threat actors. The Cyclops Blink malware is a sophisticated botnet which uses WatchGuard firewall appliances to spread destructive malware. The WhisperGate malware is a type of ransomware which compromises the device MBR (Master Boot Record) and corrupts the hard drive. A ransom note is displayed to the victim convincing them if the ransom is paid their data will be recovered.
Why Are The Ukrainian Cyber Attacks Noteworthy?
Since this string of attacks against Ukrainian organizations is ongoing, organizations should expect an increase in risk associated with cybersecurity attacks and incidents that can spill over to other countries. CISA and NCSC are publishing advisories to help organizations better protect their critical assets from being infected with this malicious software. Although there are currently no threats against the US homeland, there is the potential risk that the Russian government might take destructive action against others outside of Ukraine.
What Is The Exposure Or Risk For You In Relation To The Ukrainian Cyber Attacks?
The Cyclops Blink malware has been deployed to WatchGuard devices and has affected approximately 1 percent of all firewall appliances that are used by business customers. Once a device is infected, the malware can upload and download files to and from its command-and-control (CnC) server, collect and obtain information about the device, and perform updates on the malware. Also, the malware uses an infected devices’ legitimate firmware to maintain its presence even after the device has rebooted.
The WhisperGate malware is known to be a 3-staged MBR (Master Boot Record) wiper created to destroy the MBR and corrupt files on attached storage devices. When the device is infected, the victim is shown a ransom message indicating that their device hard-drive has been corrupted, and that their data can only be recovered after the victim has paid the ransom. However, this is a destructive malware which is known to leave infected devices’ inoperable. The data cannot be recovered after the device has been infected even after the payment has been made.
What Are The Cyber Security Recommendations For Your Organization?
ESCMSP recommends that organizations have an offsite backup strategy to protect their data from the WhisperGate malware. If your organizations are utilizing WatchGuard Firewall appliances, disable unrestricted management access from the internet and update the firewall device to its latest firmware OS version. Also, please make sure your software is up to date with the latest patches.
Businesses of all sizes, in all markets, have trusted Enterprise Solutions Consulting for more reliable, better performing, more cost-effective IT support services. Contact Enterprise Solutions Consulting today to schedule a free internal IT assessment of your cyber security, systems, and a budget forecast.
“After years of poor availability and up time, it has been refreshing to see five plus years of ‘five nine’s.’ Thank you, ESC.”
– Digital Director, Bridgestone