As Russian activity in Ukraine has moved past heightened tension into a full invasion, the battlefield has been conducted in both physical and cyber arenas. To that end, novel wiper malware attributed to Russian State Actors has been deployed to destroy and degrade Ukrainian assets and infrastructure, but the blast radius almost certainly won’t be limited to these targets.
For organizations that may find themselves either directly or indirectly in the crosshairs of this conflict, there are practical steps that should be taken to protect themselves.
Ransomware and Wiper Malware are closely related
This wiper malware is closely related to the Ransomware we have all become familiar with over the past few years. The only real difference is in the end goal – to irreversibly destroy data and accessibility to systems. As a result, we should lean on the hard learned lessons from Ransomware attacks in recent years - particularly those attributed to or closely related to Russian groups.
Like Ransomware attacks, the wiper malware campaign tends to leverage exploits against externally accessible services to gain a foothold within an organization’s network. From there, C2 channels are established (including web shells in the DMZ) to ensure on-going control. Once this foothold is established, attackers dump credentials
and use them to expand their access within the environment with the intent of maximizing their ability to inflict damage. In the attack’s final stage, wiper malware is activated to render the system inoperable. Attackers enact this final stage once they have maximized their reach or if they are alerted that they have been discovered and are at risk of losing control.
Each step along the way from one compromised system to an entire network of compromised systems is about maximizing that final impact. Attackers are only able to do this by using their initial point of compromise to move through the network and expand their access as broadly as possible.
The techniques used to carry out this expansion in control and impact are the same techniques we have observed them use for years – the use of credentials on compromised systems to gain access to new systems, providing access to yet more credentials, and so on – until they have (ideally) complete control of the environment.
One reported victim of the wiper attackers, reported their Domain Controller was compromised via this technique, which the attackers then used to distribute and execute the wiper malware across all systems. This is a technique we have seen Ransomware operators leverage repeatedly.
As with Ransomware, we expect the disclosed IOCs and the malware used will change over time. It’s easy for attackers to make those changes rapidly. Conversely, the techniques attackers use to implant malware and gain maximum impact within an environment are unlikely to change.
Practical Steps to Stay Safe against Russian Wiper Malware
Ultimately, these threats represent an intent to destroy, and organizations will do well to improve their resilience and put plans into place to ensure rapid recovery. There are practical steps to take, many of which are not new recommendations but may be somewhere in your organization’s backlog. Given the changes in the threat landscape, we suggest that organizations re-run their risk calculus and make some or all of the following changes.
- Remove the low-hanging fruit. Patch and protect publicly accessible assets. Public-facing assets with known exploitable vulnerabilities are easy targets and patching these assets must be a top priority. CISA maintains a good list of these. In a similar vein, accounts for VPN access and public logon portals or SaaS services must be protected by multifactor authentication.
- Control the DMZ. Authorized outbound traffic from the network DMZ needs to be explicitly whitelisted to increase the difficulty of an adversary establishing a useful foothold there. Such a whitelist can be work to maintain, but it materially complicates an adversary’s ability to effectively run command-and-control from your DMZ.
- Trust and Least Privilege. We often relate this to administrative credentials but in this case, view it through the lens of your publicly accessible systems and the rest of the network. The accumulated risk related to all the times when systems and accounts were overprivileged to ease deployment and operation is often a key factor that enables the attack.
- Keep your people’s heads in the game. Where practical, enforce downtime when you’re not in crisis mode. Maintaining an unending state of heightened alert is stressful and it increases the likelihood that mistakes will be made or key indicators overlooked. Realize that cyber incident response is deeply stressful.
- Plan for out-of-band comms. Compromised IT systems may well include those you use for internal communications (email, chat, etc.), thus further limiting your defensive capabilities. Plan for this outcome and invest in secure, back-up comms. Apps like Signal are popular for a reason.
- Prioritize confidence in your recovery plan. Too often IT system recovery plans are built on a combination of present optimism and inaccurate historical information. It’s time to dust those off and minimally tabletop, preferably execute attack simulations, particularly against business-critical systems like email.
If you’re a target or under attack, we will help you at no cost
Our organizational mission is to make the world a safer and fairer place. We stand by that. If your organization is under attack as a result of this conflict we will help, at no cost.
We believe that advanced detection and response capabilities are among the most critical for organizations to operationalize to achieve the resilience necessary to withstand the current generation of cyber weapons. And we believe that as an industry we need to use the lessons learned over the years in mitigating, detecting, and responding to Ransomware incidents to manage the problem we’re facing today – though with an urgency and willingness to implement mitigations, controls, detection capabilities, and responses that otherwise may have been considered too disruptive.