CISA Alert AA22-057A – Destructive malware targeting organizations in Ukraine.

This is a CISA Cybersecurity Alert. ID number Alpha Alpha Two Two tack Zero Five Seven Alpha.

​​Original release date: February 26th, 2022. Last revised March 1st, 2022.

Leading up to Russia’s unprovoked attack against Ukraine, threat actors have deployed destructive malware, including WhisperGate and HermeticWiper, against organizations in Ukraine to destroy computer systems and render them inoperable. CISA recommends organizations review the technical details in the alert for an in-depth analysis, indicators of compromise, and mitigations. The following are high-level summaries of campaigns employing the malware.

• On January 15th, 2022, the Microsoft Threat Intelligence Center disclosed that malware, known as WhisperGate, was being used to target organizations in Ukraine. According to Microsoft, WhisperGate is designed to render targeted devices inoperable.
• On February 23rd, 2022, several cybersecurity researchers disclosed that malware known as HermeticWiper was being used against organizations in Ukraine. According to SentinelLabs, the malware targets Windows devices, manipulating the master boot record, which results in subsequent boot failure. 

Further disruptive cyberattacks against organizations in Ukraine are likely to occur and may spill over to organizations in other countries.

This destructive malware uses popular communication tools to spread, including worms sent through email and instant messages, Trojan horses dropped from websites, and virus-infected files downloaded from peer-to-peer connections. 

These malware groups have the capability to target a large scope of systems throughout a network. As a result, it is important for organizations to assess their environment for atypical channels for malware delivery and propagation. Systems to assess include enterprise applications such as:

• Patch management systems,
• Asset management systems,
• Remote assistance software,
• Antivirus software,
• Systems assigned to network admin personnel,
• Centralized backup servers, and
• Centralized file shares.

Organizations should increase vigilance and evaluate their capabilities, preparation, detection, and response plans. For specific best practices and mitigations, CISA and the FBI urge all organizations to visit the technical alert documentation linked in the show notes. The mitigations cover communication and data flow, access control, monitoring, file distribution, system and application hardening, recovery and reconstitution planning, and incident response.

All organizations should also report incidents and anomalous activity to CISA’s 24/7 Operations Center at central@cisa.dhs.gov or (888) 282-0870 and to the FBI via your local FBI field office or the FBI’s 24/7 CyWatch at (855) 292-3937 or CyWatch@fbi.gov.

This report was written by CISA, the United States Cybersecurity and Infrastructure Security Agency, and edited and adapted for audio by the CyberWire as a public service. Please visit www.cisa.gov to read the full report which may include additional details, links, and illustrations. A link to this report can be found in the show notes.

This has been a CISA Cybersecurity Alert.