FAQ on cyber attacks related to invasion of Ukraine

Q: Are cyber attacks occurring as part of the invasion of Ukraine?

A: Yes. There is reliable evidence of on-going cyber operations against targets in Ukraine.

Q: What kind of attacks are happening?

A: The situation is developing so its difficult to provide a comprehensive list of activities, targets, or specific incidents. However, we have confirmed findings published by other companies regarding the use of the HermeticWiper malware against various targets in Ukraine. We saw it deployed against a critical national infrastructure organization earlier in the week. There have also been reports of DDoS attacks against various targets.

Initial industry analysis suggests HermeticWiper is an MBR wiper and it leverages the legitimate EaseUS Partition Manager drivers to conduct destructive actions. The intent behind the attacks seems similar to the Whispergate malware that was deployed earlier this year against targets in Ukraine, but is considerably more complex.

The attack vector is currently unknown. However, because HermeticWiper activity first appeared almost exactly 12 hours before the beginning of the physical invasion of Ukraine, it was likely part of a coordinated effort by Russia. It is entirely possible that instances of HermeticWiper detected in the last 24 hours were in networks compromised days or weeks ago.

Q: Will these cyber attacks affect people and companies outside of Ukraine?

Yes, there are already reports of organizations in other countries getting hit by attacks in connection with those happening in Ukraine. For example, the HermeticWiper malware mentioned above has been detected outside of Ukraine.

It is important to note that the internet connects people and organizations from all over the globe. For this reason, cyber attacks against targets in Ukraine can very easily affect people in other countries, making it a realistic concern. 2017’s NotPetya attack, which originated in Ukraine and spread to companies all over the world (eventually leading to claims at that time that it was history’s most costly, destructive cyber attack), demonstrates how quickly incidents can spiral out of control.

Ukraine has a healthy IT sector that provides services to companies all over the globe, including over one-fifth of the Fortune 500, according to a website published by Ukraine’s Ministry of Foreign Affairs. For this reason, companies should assess their exposure to cyber attacks connected with the invasion.

Q: What should people and companies do to protect themselves from cyber attacks connected to the invasion?

While the above comments and seriousness of the invasion are a cause for concern, there is no need to let potential cyber attacks cause panic for most. There’s currently no reason to believe that the cyber attacks will spread rapidly or affect most organizations in the world. And there’s lots of steps organizations can take to protect themselves.

If they haven’t already, organizations should first assess their exposure. Company leaders should examine their infrastructure and operations to look for areas that could turn into potential targets. Do they have any presence in Ukraine? What about the Baltics? They could also take it a step further to be extra cautious and simply assume they’ll be a target. And from that perspective, begin looking for weaknesses to actively address.

Companies that are active in implementing basic security measures have a considerable advantage here. Basic security measures that will help include:

• Install security patches on everything
• Ensure you have capable endpoint protection / MDR on all servers
• Whitelist outbound traffic (if you can, geoblock)
• Secure Active Directory (specific advice available here: https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/plan/security-best-practices/best-practices-for-securing-active-directory)
• Establish a process for filtering phishing emails
• Restrict the use of office macros
• Use multifactor authentication when possible
• Backup critical data (preferably air-gapped, read-only backups that cannot be removed or overwritten)

Q: I am an WithSecure customer. Am I protected?

A: WithSecure remains committed to protecting its clients. For over 30 years, our various products and services have successfully defended people and organizations from attacks across a wide spectrum of threat actors, including nation-states or those acting in support of nation-states. Our various products and services block the HermeticWiper malware (detected as TR/KillDisk.BG and TR/KillDisk.EZ) currently seeing use in Ukraine.

Q: Where can I find more information?

A: Authorities in several countries have published advisories for companies to prepare for possible attacks related to the invasion. These can provide some guidance to help companies figure out whether they need to worry.

Pay attention to instructions provided by your local authorities as they come, for example in Finland here: https://www.kyberturvallisuuskeskus.fi/.

United States
https://www.cisa.gov/shields-up

United Kingdom
https://www.ncsc.gov.uk/news/organisations-urged-to-bolster-defences

Japan
https://www.meti.go.jp/press/2021/02/20220221003/20220221003.html

Poland
https://cert.pl/posts/2022/02/rekomendacje-cyberprzestrzen-ukraina/