FeatureAs Russian activity in Ukraine has moved past heightened tension into a full invasion, the battlefield has been conducted in both physical and cyber arenas. To that end, novel wiper malware attributed to Russian State Actors has been deployed to destroy and degrade Ukrainian assets and infrastructure, but the blast radius almost certainly will not be limited to these targets.
Each step along the way from one compromised system to an entire network of compromised systems is about maximising that final impact
This wiper malware is closely related to the Ransomware we have all become familiar with over the past few years. The only real difference is in the end goal – to irreversibly destroy data and accessibility to systems. As a result, we should lean on the hard learned lessons from Ransomware attacks in recent years – particularly those attributed to or closely related to Russian groups.
Novel wiper malware attributed to Russian State Actors has been deployed to destroy and degrade Ukrainian assets
Like Ransomware attacks, the wiper malware campaign tends to leverage exploits against externally accessible services to gain a foothold within an organisation’s network. From there, C2 channels are established including web shells in the DMZ to ensure on-going control. Once this foothold is established, attackers dump credentials and use them to expand their access within the environment with the intent of maximising their ability to inflict damage.
Blast radius almost certainly will not be limited to these targets
In the attack’s final stage, wiper malware is activated to render the system inoperable. Attackers enact this final stage once they have maximised their reach or if they are alerted that they have been discovered and are at risk of losing control.
Each step along the way from one compromised system to an entire network of compromised systems is about maximising that final impact. Attackers are only able to do this by using their initial point of compromise to move through the network and expand their access as broadly as possible.
In the attack’s final stage, wiper malware is activated to render the system inoperable
As with Ransomware, we expect the disclosed IOCs and the malware used will change over time. It is easy for attackers to make those changes rapidly. Conversely, the techniques attackers use to implant malware and gain maximum impact within an environment are unlikely to change.
Ultimately, these threats represent an intent to destroy, and organisations will do well to improve their resilience and put plans into place to ensure rapid recovery. There are practical steps to take, many of which are not new recommendations but may be somewhere in your organisation’s backlog. Given the changes in the threat landscape, we suggest that organisations re-run their risk calculus and make some or all of the following changes.
Attackers enact this final stage once they have maximised their reach or if they have been discovered
Remove the low-hanging fruit. Patch and protect publicly accessible assets. Public-facing assets with known exploitable vulnerabilities are easy targets and patching these assets must be a top priority. CISA maintains a good list of these. In a similar vein, accounts for VPN access and public logon portals or SaaS services must be protected by multifactor authentication.
Control the DMZ. Authorised outbound traffic from the network DMZ needs to be explicitly whitelisted to increase the difficulty of an adversary establishing a useful foothold there. Such a whitelist can be worked to maintain, but it materially complicates an adversary’s ability to effectively run command-and-control from your DMZ.
Trust and Least Privilege. We often relate this to administrative credentials but in this case, view it through the lens of your publicly accessible systems and the rest of the network. The accumulated risk related to all the times when systems and accounts were overprivileged to ease deployment and operation is often a key factor that enables the attack.
Wiper malware is activated to render the system inoperable, and attackers enact this final stage once they have maximised their reach or if they are alerted.
Opinions and comments are of the authors mentioned.
