For months, the world has been aware of Russia’s military build-up near the Ukraine border and the escalating tensions. To many militaries (Including Russia), cyber is another legitimate dimension of warfare and even a preferred one in a lot of cases. For some years, Russia’s APT’s are known to have acted against regime targets in social, psychological, and financial attacks in many countries. What we are seeing in Ukraine in the past weeks is consistent with that MO, but it is probably just a part of a cyber campaign being conducted against Ukraine.
From its looks, Russia has decided to engage with Ukraine and is doing so in the cyber domain by attacking multiple governments, non-profit, and information technology organizations. Thus, it is highly likely that this malware is, in fact, Russian, although it has yet to be recognized as one officially. We can say with a fair amount of certainty that if Russia decides to escalate this confrontation, a ground military assault would include more cyber-attacks.
So far, these acts have helped build up tension but are still under the bar for escalation into a kinetic response. Judging from experience with Russia, this attack might very well precede a full military attack – but that is for Russia to decide. In the meantime, governments in Europe and the US are warning of the possible ramifications if these events escalate.
This is not exactly what we would call a novel attack, but it is cunning. The way this attack was conducted would indicate that a lot of thought was put into it, and furthermore, it has been in the works for a long time, allowing the actors to know their targeted systems. To our assessment, the goal of this group, given that it is indeed Russian, is to disrupt life in Ukraine in many aspects across the board.
This malware succeeds in doing just that. It not only makes the victims spend time in damage assessments and backup restoration efforts, but before it was discovered that the malware had no restoration tool built into it, it also might have sent them on a futile and costly effort to pay the attacker wasting precious time. Furthermore, the existence of the two stages would suggest that this malware was aimed at different types of organizations. For the government organization (who are probably using old OS and hardware) that keep data on the cloud/network drive and less on the machine, the first stage affects the machine’s MBR and thus prevents the pc from performing a boot sequence taking it out of working order. The second stage corrupts files and is aimed at newer OS’s and hardware (probably in technological organizations) that tend to save files on the machine.
To mitigate threats like this, we recommend every organization to have a Cyber Response Plan (CRP) based on the organization’s Advanced Cyber Talents (ACT). This plan should include a baseline assessment to get to know the organization, its threats, and possible attack vectors. Also, use an up-to-date antivirus installed on your stations that would update as soon as malware hashes are identified in the wild. We should, however, state that it is relatively easy for a group like this to evade antiviruses, thus resetting the clock on the identification and prevention process, so it is highly recommended to have a behavior-based cyber security system (EDR) to help mitigate the risk. Either way it is recommended to work with up-to-date OS’s and use EUFI secure boot.
To further lower the risk, conduct proactive measures such as a continued CTI effort to help identify and assess emerging threats and “FIND EVIL” operations within the organization.