Following months of preparation and cyber-attacks, Russia has finally chosen the timing to widen its attack on Ukraine from the cyber domain to a kinetic war. As we assessed in an earlier article published on February 2nd, the escalation of the war initiated by Russia includes multiple continues cyber-attacks all on government and financial assets in Ukraine and they will probably continue to be a part of this campaign. We have already seen indications of another worrisome option in the form of attacks on critical infrastructure such as electricity, water, and hospitals to take place.
As we mentioned before, Russia’s APT’s are known to have acted against regime targets in social, psychological, and financial attacks in many countries. Now, there is no doubt that the attacks that started to surface last month are a part of their standard for a military campaign. These tools used on Ukrainian assets are just a small example of Russian capabilities.
The first of them (branded WhisperGate) was the alleged ransomware that wasn’t really a ransomware but more of a two-phase malware designed to either destroy all data on the HDD or render the machine unusable.
Another example, observed the same day the military assault has begun, is a wiper HermeticWiper or KillDisk.NCV. however, samples of this malware were dated to the end of December, making it clear that these attacks had been in the works for a long time. This wiper abuses legitimate drivers to conduct its destructive actions and in at least one case was launched from Windows domain controller. We should mention that this attack was coordinated with a massive DDOS attack against several Ukrainian government and banking institutions.
Lastly, we also saw Cyclops Blink which exploited hundreds of thousands of home and small business’s devices and was attributed to the Russian-backed Sandworm hacking group that previously attacked Ukrainian targets.
We cannot be sure that this was the goal for Russia from the get-go, but at this point every move we will see in the coming days will have a consciousness goal built into it. As these events continue to unfold, we will continue to watch closely and learn from it. Furthermore, as Europe and the United States continue their protests from the outside through (financial) sanctions the chances for cyber-attacks to widen into government and financial entities to the rest of Europe and the United States with both disruptive tools and defacements are pretty high.
We recommend for companies to Make sure your sites’ infrastructure is up to date with latest patches. If you’re using WordPress, make sure plugins and themes are updated as well. After you’re done updating, scan your site for vulnerabilities to verify nothing was missed. Make sure your WAF service/appliance is updated with the latest signatures. If possible, enable geo-location and restrict traffic to valid locations. Verify your sites’ backup. If need be, backup your site ASAP and keep it in a secure location. Verify you Anti-DDOS configuration. Make sure your site is under protection. Monitor your sites for suspicious behavior. Instruct your analysts to be on high alert.