BlueVoyant Advisory: Cyber Concerns with Russian Activity in Ukraine

BlueVoyant is following the events surrounding Russia and Ukraine in great detail to maintain vigilance. Reporting on cyber attacks has accompanied the unfolding Russian operations against Ukraine; thus far, those attacks include wiper malware, distributed denial-of-service attacks, and cyber espionage, but have been limited to Ukraine public and private targets. BlueVoyant has already moved to institute new detection content for wiper malware reported within the last 24 hours. BlueVoyant’s third-party risk analysts are investigating potential third-party exposure to aid organizations’ ability to assess distributed risks. Furthermore, BlueVoyant has heightened its internal security posture. BlueVoyant urges organizations to refer to the recently-published advisories by the Cybersecurity and Infrastructure Security Agency (CISA) and the National Cyber Security Centre (NCSC) for guidance on how to prepare your organization for cyber attack.

BlueVoyant’s Recommendations

BlueVoyant recommends organizations ensure their endpoint solutions are up to date and that they monitor closely for new updates as the situation continues to unfold. Organizations should anticipate increased cyber activity in the form of ransomware or other destructive attacks. Preparation is key. Reviewing and testing incident response and backup and recovery plans is crucial to ensure continuity of operations. Of the recommendations published by CISA and NCSC, BlueVoyant encourages organizations to especially consider the following security posture preparations:

• Ensure patching is current and review current controls for open ports such as remote desktop protocol (RDP) and SMB.
• Verify your organization's access controls including passwords, multi-factor authentication (MFA), user/account permissions, and user/accounts are up to date.
• Validate coverage of defensive endpoint tool coverage, namely antivirus solutions, enforcement of least-privilege, and endpoint firewalls.
• Consider enforcing application-whitelisting on critical systems. Alternatively, consider proactive blocking of Powershell and scripting languages where unneeded.
• Increase employee awareness and advise employees of heightened potential of phishing and social engineering. This includes ensuring employees and senior leaders understand they can be targeted through LinkedIn and other social media platforms

BlueVoyant's Assessment

Since the beginning of heightened tensions between Russia and Ukraine, BlueVoyant has been closely monitoring the geopolitical situation, specifically the increase in cyber threat activities. BlueVoyant has been proactive, pursuing an elevated defensive posture against known and emerging security threats that could impact our customers. This includes establishing customized detection tool sets specific to emerging threats and mitigating any impacts to our customers. As expected, alongside Russia’s physical incursions within Ukrainian territory over the past 24 hours were cyber operations; specifically, reporting describes distributed denial of service (DDoS) and wiper malware attacks. Adversaries of Ukraine have executed each of these attacks over the last several weeks – key reporting details are summarized below.

The wiper malware reporting describes a small custom application, dubbed HermeticWiper, which abuses an EaseUS driver (empntdrv.sys) for partition management to carry out the destructive attacks. Reporting indicates at least some of the wiper malware were installed directly from a Windows domain controller, showing that the attackers had pre-positioned themselves with control of the network. Researchers further noted the compiled timestamp for the malware was December 28, 2021, suggesting that preparations have been underway for almost two months.

In January, Microsoft reported on a wiper malware campaign named WhisperGate against Ukraine targets. The campaign directly targeted the information technology sector, multiple government agencies, and non-profit organizations in Ukraine. These attacks masqueraded as ransomware, giving the illusion of “hacktivism” and providing the threat actors with plausible deniability.

In addition to the wiper malware attacks, Ukrainian government and banking institutions reported experiencing a third wave of DDoS attacks. The attack vectors associated with these campaigns include supply chain attacks, strategic web compromise, and wormlike propagation.

Apart from these documented attacks, researchers have detailed a botnet/backdoor, called Cyclops Blink, with ties to Voodoo Bear (aka Sandworm) – the Russian General Staff Main Intelligence Directorate. This malware is exploiting a vulnerability in WatchGuard firewall appliances. This botnet is a malicious Linux ELF executable that has been active since at least the summer of 2019. The NCSC, Federal Bureau of Investigation (FBI), CISA, National Security Agency (NSA), and industry analysts assess this botnet is large scale and targeting Small Office/Home Office (SOHO) network devices. This could be an avenue for additional attacks or activities such as destruction and disinformation.

In addition, a threat group with ties to Russia, Primitive Bear (aka Shuckworm, Armageddon, Gamaredon) has continued to focus cyber-espionage efforts against Ukrainian targets. In the most recent efforts, the group has used eight new and unique payloads in phishing and spear phishing efforts. Primitive Bear efforts have regularly utilized freely-available remote access tools, including Remote Manipulator System (RMS) and UltraVNC, or customized malware called Pterodo/Pteranodon. The Security Service of Ukraine (SSU) noted that attacks have grown in sophistication in recent times, with attackers now using living-off-the-land tools to steal credentials and move laterally on victim networks.

In short, this most recent reporting highlights a continued targeting focus that has thus far been limited to Ukraine public and private entities; however, BlueVoyant is acutely aware of the previous Russia-Ukraine conflict leading to the NotPetya malware attacks that spread far beyond Ukraine’s borders. BlueVoyant is closely monitoring and collaborating with the cyber community to understand these attacks and profile the attackers in an effort to build detection content and maintain the highest possible defenses for our customers.

How BlueVoyant Is Responding

Managed Security Services: The BlueVoyant Security Operations Center is operating at a heightened level of awareness with additional staff on standby. BlueVoyant has already developed and deployed additional detections for activity related to the HermeticWiper wiper malware and observed adversary behavior leading to HermeticWiper malware execution. We will continue to monitor for any and all anomalous or suspicious activity using BlueVoyant’s library of custom detections along with alerting from endpoint agents and other log sources that are aptly designed to detect subsequent attacker activities. Our team continues to monitor the situation and related intelligence for any additional threat activity, and will develop and deploy new signatures rapidly as new indicators and behaviors are discovered.

Third-Party Cyber Risk Management (3PR): BlueVoyant is investigating potential customer third-party exposure to aid their ability to factor logical/digital asset geographic presence into overall third-party risk calculations as the Russia-Ukraine crisis continues to unfold. In addition, BlueVoyant is also stepping up overall vigilance to monitor for potential cybersecurity threats to organizations and their third parties as cyber attacks proliferate.

BlueVoyant Internal Security: BlueVoyant teams are operating with a heightened sense of awareness as the situation evolves. Our internal defense efforts are focused on ensuring we maintain full visibility across our environment, allowing us to proactively invoke detection and response playbooks. Our focus areas have centered around applying security best practices, which include:

• Applying additional scrutiny on all network activity, and confirming all outbound flows are documented and well understood.
• Reviewing application control lists on all endpoints/servers
• Testing response playbooks for rapid host and network-based isolation
• Increasing logging levels in critical production systems

BlueVoyant will continue to monitor the situation closely to rapidly identify any associated suspicious or malicious activity and will provide updates on any activity, information, or recommendations as they become available.