- Federal authorities and security researchers are warning U.S. organizations to prepare for attacks against critical infrastructure and related targets as military tensions ramp up over a potential Russian incursion into Ukraine.
- The Cybersecurity and Infrastructure Security Agency (CISA) is warning U.S. companies to take urgent measures to protect their IT systems and operational technology, after threat actors deployed destructive malware against public and private organizations in Ukraine. While the malware appears to be ransomware at first glance, it wipes all data contained on the master boot record, according to Microsoft. The malware has been found on dozens of government, nonprofit and IT organizations in Ukraine.
- Crowdstrike released a separate analysis of WhisperGate, the malicious bootloader that was unleashed on Ukrainian government websites. The malware, which has similarities to the master boot record used during NotPetya attacks in 2017, fooled IT personnel by masquerading as a chkdsk disk-repair utility before launching a massive wave of attacks.
Security researchers and national security experts say the escalating tensions over a Russian conflict with Ukraine could give rise to asymmetric cyberattacks that would engulf government and critical infrastructure targets inside Ukraine and targets in the U.S. and other Western countries.
"Threats to Ukraine can be a threat to a U.S. or global company," Adam Meyers, SVP of intelligence at Crowdstrike said. "As we observed during NotPetya, there were numerous reports of companies with offices in Ukraine or contractors in Ukraine who became victims of NotPetya by virtue of physical and [logistical] connections between corporate infrastructure in Ukraine and the U.S."
Threat actors linked to Russia, eastern Ukraine and other allies will likely engage in a range of cyber espionage, information operations and disruptive attacks, according to research from Mandiant. Mandiant researchers say various APT actors have been linked to prior attacks involving Ukraine.
Sandworm Team, considered a top threat actor from Russia, has been linked to NotPetya and attacks that caused power outages in the Ukraine.
An actor that Mandiant researchers call TEMP.Isotope, also known as UNC806/UNC2486, Berserk Bear and Dragonfly, has been linked to compromises of critical infrastructure in Europe and the U.S.
Researchers at Palo Alto Networks say a vulnerability in OctoberCMS, CVE-2021-32648, was exploited by threat actors prior to the attacks against Ukrainian government websites. Palo Alto said using OctoberCMS prior to build 472 and v1.1.5 need to upgrade to the most recent version.