CISA, Microsoft Warn of Wiper Malware Amid Russia-Ukraine Tensions

eSecurity Planet content and product recommendations are editorially independent. We may make money when you click on links to our partners. Learn More.

The U.S. government agency overseeing cybersecurity is urging the country’s businesses and other organizations to take the necessary steps to protect their networks from any spillover that might occur from the ongoing cyberattacks aimed at Ukraine government agencies and private companies.

In an alert issued this week, the Cybersecurity and Infrastructure Security Agency (CISA) cited a series of cyberattacks perpetrated against public and private Ukrainian organizations as tensions between Ukraine and Russia grow despite talks between U.S. and Russian government leaders.

Government and private entities in Ukraine have been targeted this month by a barrage of malware that has defaced websites and wiped or corrupted data from Windows- and Linux-based systems. Microsoft’s Threat Intelligence Center, in a blog post Jan. 15, outlined the malware operation that began hitting Ukrainian organizations days before.

Malware Designed to Destroy

The malware “is designed to look like ransomware but lacking a ransom recovery mechanism, is intended to be destructive and designed to render targeted devices inoperable rather than to obtain a ransom,” the Microsoft unit wrote. “Our investigation teams have identified the malware on dozens of impacted systems and that number could grow as our investigation continues. These systems span multiple government, non-profit, and information technology organizations, all based in Ukraine. … It is unlikely these impacted systems represent the full scope of impact as other organizations are reporting.”

Other organizations also have issued reports about data-wiping and other malware being used against groups in the troubled country. Ukraine’s cyber authorities said in a statement that the malware exploited vulnerabilities in the OctoberCMS content management systems and the high-profile Log4j flaw, as well as compromised credentials, to launch the attacks.

Within a couple of days, 95 percent of the Ukrainian government sites impacted by the malware had been restored, they said.

Also read: Top Vulnerability Management Tools

Threats in a Connected World

In light of the attacks and the ongoing geopolitical situation in Ukraine, both CISA and Microsoft urged public and private groups in the United States to use the information to proactively protect their infrastructure against malware attacks that might result from the troubles in that region.

“Public and private entities in Ukraine have suffered a series of malicious cyber incidents, including website defacement and private sector reports of potentially destructive malware on their systems that could result in severe harm to critical functions,” CISA said in its alert. “The identification of destructive malware is particularly alarming given that similar malware has been deployed in the past – e.g., NotPetya and WannaCry ransomware – to cause significant, widespread damage to critical infrastructure.”

No group or nation-state has been accused of the malware attacks in Ukraine, but CISA said cybersecurity and IT staffs should review the detailed document the agency released earlier this month, Understanding and Mitigating Russian State-Sponsored Cyber Threats to U.S. Critical Infrastructure. They also should check out another government site,, CISA noted.

Also read: Best Incident Response Tools and Software

CISA’s Cybersecurity Checklist

CISA’s alert outlines myriad steps U.S. organizations should take to protect their networks and data from malware attacks, including validating all remote access and instituting multifactor authentication where needed, making sure that software is patched and up-to-date, and ensuring they are prepared to respond to an intrusion.

The steps also include quickly identifying and assessing unusual network behavior, running antivirus and anti-malware solutions on the network and testing backup procedures. CISA also noted the need to test industrial control systems and “if working with Ukrainian organizations, take extra care to monitor, inspect, and isolate traffic from those organizations; closely review access controls for that traffic.”

Chris Gonsalves, vice president of research at Channelnomics, told eSecurity Planet that the CISA alert is part of a larger propaganda campaign by the U.S. government as it pushes back at possible Russian intrusion into Ukraine and looks to ease tension in the region.

“But here’s the thing about propaganda: It can also be true,” Gonsalves said. “Warnings about global climate change are also propaganda. The information is designed to foment a change in the belief or behavior. They’re also factually correct and that’s the same thing here.”

Also read: Best Backup Solutions for Ransomware Protection

Out of the Lab and Into the Wild

The reference to NotPetya and WannaCry – a notorious ransomware from North Korea rather than Russia – makes sense because both were very targeted pieces of malware that eventually got into the wild and affected targets that were beyond what was initially intended. The threat from the malware attacks this month in Ukraine to companies and agencies outside of the region is similar, he said.

As noted in the CISA alert, companies that do business with Ukrainian counterparts may be impacted by a phishing email or other threats that make their way through the Ukraine companies’ networks and to their global partners.

“They called these things computer viruses originally because they behave exactly like biological viruses, and that once they get out of the lab, it’s very difficult to contain where they go and who they infect,” Gonsalves said. “The thing about – and this is wiper malware [being used in Ukraine], but it works the same with ransomware – is that phishing messages get forwarded and partner networks are integrated together and there are hidden credentials between third parties that we’re not aware of. When I attack a utility in the Ukraine, I see that particular network might be connected through supply chain links to some organization in the U.S. that were never my intended target, but that’s just the way internet connections work. It’s not like they are also going to be targeted. They’re collateral damage.”

See also: Best Third-Party Risk Management (TPRM) Tools

Good Security Advice

Once the possible threat is established, the question becomes whether what CISA is telling organizations through the checklist is effective. In this case, it’s essentially a rewording of the NIST CSF, hitting the high notes of delineating, identifying, protecting, detecting and recovering.

God bless them for staying on message and using their absolute best cybersecurity framework to continue to get people to do the very basic things that they need to do to protect themselves,” Gonsalves said. “All of this information is applicable and proven to be effective.”

Gonsalves also was pleased to see CISA note the need to protect industrial control systems, as infrastructure will be better protected the more the line between those control systems and traditional IT blurs.

Review Security in Light of Pandemic

One point CISA could have raised is that many companies may believe they’ve addressed the items on the checklist, but haven’t done so in light of the COVID-19 pandemic, which widely dispersed much of their workforces.

‘Even on days when Russia is not menacing its neighbors, this is really good advice’

“You have remote access in places you’ve never had it before,” Gonsalves said. “Do you really have a handle on your access management and your credentials the way you did two years ago in this new world order that we’re in, where everybody’s a remote worker and completely decentralized? Yeah, look at this list, but also review it through the lens of the way that you work in the COVID and post-COVID environment, because many of these elements are much more crucial and have changed radically over the last year.”

He also suggested that CISA issue this checklist on a continuous basis.

You should issue this memo on the first day of every quarter for the rest of our lives,” Gonsalves said. “Even on days when Russia is not menacing its neighbors, this is really good advice.”

Read next: Top Endpoint Detection & Response (EDR) Solutions

Get the Free Cybersecurity Newsletter

Strengthen your organization’s IT security defenses by keeping up to date on the latest cybersecurity news, solutions, and best practices. Delivered every Monday, Tuesday and Thursday

Jeff Burt Avatar

Subscribe to Cybersecurity Insider

Strengthen your organization’s IT security defenses by keeping abreast of the latest cybersecurity news, solutions, and best practices.

Top Cybersecurity Companies

Top 10 Cybersecurity Companies

See full list

Get the Free Newsletter!

Subscribe to Cybersecurity Insider for top news, trends & analysis