Government and researchers keep US attention on Russia's cyber activity in Ukraine

The FBI and the Cybersecurity and Infrastructure Security Agency (CISA) added several strains of wiper malware to its advisory on tools used to attack Ukrainian organizations. The additions came one day after Microsoft researchers said they observed nearly 40 destructive cyberattacks targeting hundreds of systems in Ukraine.  

CISA and the FBI released the original advisory in late February and updated it on Thursday to add additional indicators of compromise for the WhisperGate malware and technical details for HermeticWiper, IsaacWiper, HermeticWizard and CaddyWiper destructive malware.

WhisperGate was used during attacks on dozens of Ukrainian government websites in January. It masquerades as ransomware but simply wipes infected devices instead of offering opportunities to pay a ransom. 

HermeticWiper is another malware used against Ukrainian networks in February that was discovered by researchers at Slovakia-based cybersecurity firm ESET and Broadcom’s Symantec.

Silas Cutler, a security researcher for Stairwell, said in February that HermeticWiper doesn’t just destroy local data. It also also damages the master boot record (MBR) section of a hard drive, preventing the computer from booting into the operating system after the forced reboot. 

ESET explained that HermeticWizard is a worm component used to spread HermeticWiper in local networks.

IsaacWiper was used to attack organizations on the day that Russia began its invasion. According to Recorded Future, IsaacWiper is a destructive malware that overwrites all physical disks and logical volumes on a computer.

There is no code overlap between IsaacWiper, HermeticWiper, or WhisperGate, despite the fact that all of them seek to make devices unusable.

CaddyWiper was deployed on March 14, according to ESET and then used again during an attack on a Ukrainian energy company on April 12, according to CERT-UA. The malware erases user data and splits information from any drives attached to a compromised machine.

#BREAKING #ESETresearch warns about the discovery of a 3rd destructive wiper deployed in Ukraine . We first observed this new malware we call #CaddyWiper today around 9h38 UTC. 1/7 pic.twitter.com/gVzzlT6AzN

— ESET Research (@ESETresearch) March 14, 2022

All of the malware strains highlighted by CISA and the FBI have been spotlighted by Microsoft and other researchers since Russia began its invasion of Ukraine. 

Tom Burt, Microsoft’s corporate vice president of customer security and trust, said they saw at least six separate Russia-aligned nation-state actors launch more than 237 operations against Ukraine just before the invasion began. 

Microsoft noted that Russia often used cyberattacks alongside kinetic military operations targeting services and institutions crucial for civilians. 

“For example, a Russian actor launched cyberattacks against a major broadcasting company on March 1st, the same day the Russian military announced its intention to destroy Ukrainian ‘disinformation’ targets and directed a missile strike against a TV tower in Kyiv,” Burt explained. 

“Since the Russian invasion of Ukraine began, Russian cyberattacks have been deployed to support the military’s strategic and tactical objectives. It’s likely the attacks we’ve observed are only a fraction of activity targeting Ukraine.”

Burt urged those in government and critical infrastructure to follow CISA’s guidance and said they expect “cyberattacks will continue to escalate as the conflict rages.”

"Russian nation-state threat actors may be tasked to expand their destructive actions outside of Ukraine to retaliate against those countries that decide to provide more military assistance to Ukraine and take more punitive measures against the Russian government in response to the continued aggression," Burt added.