As Russian activity in Ukraine has moved past heightened tension into a full invasion, the battlefield has been conducted in both physical and cyber arenas. To that end, novel wiper malware attributed to Russian State Actors has been deployed to destroy and degrade Ukrainian assets and infrastructure, but the blast radius almost certainly won’t be limited to these targets.
For organizations that may find themselves either directly or indirectly in the crosshairs of this conflict, there are practical steps that should be taken to protect themselves.
This wiper malware is closely related to the Ransomware we have all become familiar with over the past few years. The only real difference is in the end goal – to irreversibly destroy data and accessibility to systems. As a result, we should lean on the hard learned lessons from Ransomware attacks in recent years - particularly those attributed to or closely related to Russian groups.
Like Ransomware attacks, the wiper malware campaign tends to leverage exploits against externally accessible services to gain a foothold within an organization’s network. From there, C2 channels are established (including web shells in the DMZ) to ensure on-going control. Once this foothold is established, attackers dump credentials
and use them to expand their access within the environment with the intent of maximizing their ability to inflict damage. In the attack’s final stage, wiper malware is activated to render the system inoperable. Attackers enact this final stage once they have maximized their reach or if they are alerted that they have been discovered and are at risk of losing control.
Each step along the way from one compromised system to an entire network of compromised systems is about maximizing that final impact. Attackers are only able to do this by using their initial point of compromise to move through the network and expand their access as broadly as possible.
The techniques used to carry out this expansion in control and impact are the same techniques we have observed them use for years – the use of credentials on compromised systems to gain access to new systems, providing access to yet more credentials, and so on – until they have (ideally) complete control of the environment.
One reported victim of the wiper attackers, reported their Domain Controller was compromised via this technique, which the attackers then used to distribute and execute the wiper malware across all systems. This is a technique we have seen Ransomware operators leverage repeatedly.
As with Ransomware, we expect the disclosed IOCs and the malware used will change over time. It’s easy for attackers to make those changes rapidly. Conversely, the techniques attackers use to implant malware and gain maximum impact within an environment are unlikely to change.
Ultimately, these threats represent an intent to destroy, and organizations will do well to improve their resilience and put plans into place to ensure rapid recovery. There are practical steps to take, many of which are not new recommendations but may be somewhere in your organization’s backlog. Given the changes in the threat landscape, we suggest that organizations re-run their risk calculus and make some or all of the following changes.
Our organizational mission is to make the world a safer and fairer place. We stand by that. If your organization is under attack as a result of this conflict we will help, at no cost.
We believe that advanced detection and response capabilities are among the most critical for organizations to operationalize to achieve the resilience necessary to withstand the current generation of cyber weapons. And we believe that as an industry we need to use the lessons learned over the years in mitigating, detecting, and responding to Ransomware incidents to manage the problem we’re facing today – though with an urgency and willingness to implement mitigations, controls, detection capabilities, and responses that otherwise may have been considered too disruptive.