Advisory: HermeticWiper – Increased cyber activities since Russian invasion of Ukraine

Category: Event
TLP Level: TLP:WHITE
Severity: High

Campaign Details:
Campaign Active: 2022-02-15
Campaign Identified: 2022-02-15
Campaign Updated: 2022-02-24

Updates:

02/24 12:00 PM GMT

• Russia has launched an invasion of Ukraine which started with missile and artillery attacks targeting locations near the capital of Kiev and the border city of Kharkiv. Ground troops have since begun their intrusion into Ukraine from fronts including Crimea and Belarus. In response, Ukraine has announced the cutting of diplomatic ties with Russia.
• At around 2:00 PM GMT on February 23rd, additional DDoS (Distributed Denial of Service) attacks were observed targeting Ukrainian governments websites owned by the Ministry of Defense, Ministry of Internal Affairs, and national banks [Source 2]. No DDoS attacks have been observed targeting devices outside of Ukraine.
• At 8:00 PM GMT on February 23rd, a data-wiping malware strain named HermeticWiper has been observed affecting devices and organization in Ukraine, Latvia, and Lithuania. It is believed that HermeticWiper was deployed by a Russian Threat Actor group conducting disruption operations prior to military action, though no attribution has been made yet. The infection of devices outside of Ukraine are believed to be collateral damage or unintended ‘spill-over.’ IoCs related to HermeticWiper have been identified and more information is available in the separately published HermeticWiper Threat Advisory.
• The largest concern moving forward for United States and NATO allied countries, organizations, and companies is two-fold. The first is any attack targeted at Ukraine that causes collateral damage accidentally to other organizations through connected networks or misidentification of targets. The second is the specific targeting of western systems preemptively as US and NATO allies increase sanctions and responses to the Russian aggression. Organizations in the critical infrastructure, energy, communications, and financial industries would be the likely targets for any additional offensive cyber operations focused on western entities.

Detections:

• Most Common Russian Techniques: The most common MITRE techniques across the tracked Threat Actor groups with associations to Russia have been included below. Additionally, the corresponding ReliaQuest Detect use-cases to these MITRE techniques are also included.
• Destructive Malware: WhisperGate and HermticWiper malware variants are believed to be associated with the Russia/Ukraine escalations. Direct attribution has not been made but targets of these variants have been largely focused on Ukrainian systems. Additional ReliaQuest Threat Advisories exist for these variants which include additional IOCs and TTPs.
• Denial of Service Attacks: Detecting a denial-of-service attack can be incredibly difficult to perform accurately at an individual organizations level. ReliaQuest advises partnering with vendors at the ISP and cloud level to more effectively detect and mitigate DDoS attacks before impacts can be recognized.

Mitigations:

• Reduce external attack surfaces. Regularly monitor and audit external facing services and assets for accidental exposure and out-of-date services. Remove any accidental exposure and patch any out-of-date services, with priority on services that have known vulnerabilities. Threat Actors will frequently scan the internet for public-facing assets that have an exploitable vulnerability and gain initial access via this method.
• Ensure comprehensive coverage of endpoints. Anti-Virus/Endpoint Detection and Response tools within your environment provide critical visibility into active threats within a network. Additionally, many ReliaQuest Detect use-cases require endpoint logging/visibility to be pushed to production.
• Review backup strategies. Organizations should review their backup policies in place and ensure recent backups exist for all critical systems in a secure location.
• Raise phishing awareness. Implement phishing training and deploy e-mail security technologies to mitigate the risk of malicious e-mail documents. Threat actor groups often conduct phishing campaigns with malicious documents to gain an initial foothold.
• Enforce complex passwords and Multi-Factor Authentication. A strong authentication policy across all aspects of the environment (including third-party accounts) makes attempts to access networks remotely more difficult as Russian actors have often leveraged remote brute force attempts against networks.
• Mitigate Denial of Service Attempts. Vendors at the ISP and cloud infrastructure level are more effective at mitigating denial of service attacks as they see the larger trends and can often mitigate attacks before traffic can traverse the backbone of the internet and reach an organization. Organizations should evaluate agreements in place with these vendors to understand whether these mitigation capabilities are in place.
• Enforce complex passwords and Multi-Factor Authentication. A strong authentication policy across all aspects of the environment (including third-party accounts) makes attempts to access networks remotely more difficult as Russian actors have often leveraged remote brute force attempts against networks.

Related Advisories:

The following threat advisories exist within GreyMatter and are either directly or indirectly related to the escalations within Ukraine.

Threat Actor Groups:

• Sandworm Team
• Fancy Bear

Tools:

• WhisperGate Destructive Malware Targeting Ukrainian Organizations
• HermeticWiper

Sources:

[1] https://www.cisa.gov/uscert/ncas/alerts/aa22-011a
[2] https://www.cisa.gov/shields-up
[3] https://netblocks.org/reports/internet-disruptions-registered-as-russia-moves-in-on-ukraine-W80p4k8K
[4] https://www.mandiant.com/media/14506/download

MITRE Techniques: