On Monday, February 21, 2022, Russian President Vladimir Putin announced the independence of the separatist regions (Donetsk People’s Republic and Lugansk People’s Republic) and began bombing the capital Kiev. Europe immediately condemned this decision, as did the United States, which initiated economic sanctions.
A visible conflict
The effects of the war in Ukraine are clear. The escalation of this conflict will have direct economic consequences. The markets have already reacted strongly. The IMF remains concerned about a possible impact.
- Economically on the one hand, because the logistics chain is likely to be disrupted: the aviation sector, the automotive sector, the production of agricultural equipment, some medicines, are likely to be affected.
- At the level of the‘energy, the cost of gas, is likely to suffer a significant increase. As a reminder, Russia holds the largest gas reserves. The country can therefore play on this dependence of the Europeans to put pressure and increase prices (even if the French government wants to be reassuring on this subject), or even outright stop the export. Recall that Germany has suspended the Nord Stream2 gas pipeline service. The price of oil will also be impacted, it had already climbed 3% on Thursday knowing that the price of a barrel of Brent crude oil was already rising alone to approach dangerously close to 100 USD with many possible impacts at the global level.
- At the agricultural level, Ukraine is the world’s fourth largest exporter of wheat, the current conflict has had an impact on the price of the latter (344 euros per ton.). France should be less impacted.
Cyber risk: a less visible conflict
The Ukrainian case
Several organizations in Ukraine have been hit by an attack based on new malware called “data wiper”.
What is a wiper?
It is malware that aims to destroy the target by deleting, corrupting or encrypting the majority of its data (caches, accounts, applications, files, settings…). This makes the target unusable and it is often necessary to reinstall its OS but the data will still be lost. This type of malware can target PCs, smartphones or IoT, but in a majority of cases, they target Windows systems.
Two of these malwares have been in the news. They are WhisperGate and HermeticWiper. The latter have targeted Ukrainian infrastructures, but also Latvia and Lithuania. Ukraine has also been the target of “DDOS” (Distributed Denial of Service) attacks that have prevented access to some government sites.
What is it about?
WHISPERGATE
The scale of recent attacks against Ukraine such as the cyberattack named “WhisperGate” affected some 15 Ukrainian government websites on January 14, even though they have not been officially acknowledged by the Russian President, they could extend beyond Ukrainian borders.
CYCLOP BLINK
The UK’s National Cyber Security Center (NCSC), Cybersecurity and Infrastructure Security Agency (CISA), National Security Agency (NSA) and Federal Bureau of Investigation (FBI) alerted on Cyclops Blink as early as Wednesday, February 23.
Here are the details of the report here:
https://www.ncsc.gov.uk/files/Cyclops-Blink-Malware-Analysis-Report.pdf
No attribution at this point. But possible links to the Sandworm group.
Who is Sandworm?
- Aka: Voodoo Bear, APT28, Fancy Bear, Sednit, Sofacy
- Origin: Group allegedly linked to the GRU
- Technique: phishing
- Motivation: cyber espionage, sabotage, subversion
- Target: Ukrainian businesses and government agencies
- Campaigns: 2015’s BlackEnergy, 2016’s Industroyer, 2017’s Operation NotPetya, and the 2018 Olympics attacks.
Who is Cyclop Blink?
Active since 2019.
Family: successor of VPNFilter.
Particularity:
- It is resistant to certain measures such as shutdown on reboot, firmware updates, affected systems.
- It is deployed on devices from network hardware company WatchGuard.
Capability: allows you to download and upload files to and from its command server, and to monitor, collect and exfiltrate information from the device. It is modular and scalable (new features can be added to it).
Recommendation:
- Change passwords
- Update devices
- Apply the latest security patches
- Use multifactor authentication
- Restrict communications with suspicious IPs
Follow this link:
https://detection.watchguard.com/
ISAACWIPER
IsaacWiper, according to ESET, was deployed in separate campaigns from HermeticWiper.
IsawWiper was reportedly used in a second attack, again against the Ukrainian government, on February 24. “IsaacWiper shares no code-level overlap with HermeticWiper and is significantly less sophisticated.”
No official attribution has been made to date.
For further analysis and to get the IoCs here is the link to the ESET report:
https://www.welivesecurity.com/fr/2022/03/01/isaacwiper-hermeticwizard-nouveau-ver-effaceur-ukraine/
DDOS ATTACK
Numerous DDOS attacks have been discovered targeting government agencies, banks as well as the Ukrainian military.
Katana
On Sunday, February 13 the Katana botnet affected the websites of several Ukrainian banks and government organizations. All of them were taken offline via a distributed denial of service attack.
Fox Blade
Microsoft detected on February 24 a new malware named FoxBlade. It is believed to be a Trojan horse used for DDOS attacks.
According to Microsoft, the initial mode of access is not yet known.
HERMETICWIPER
On Wednesday (although this malware is not from February, but from December 28, 2021, as mentioned by ESET), Ukraine suffered a second assault, dubbed HermeticWiper. This is a data erasure malware and ransomware based on GoLang. This malware targets financial and government institutions.
Family: KillDisk.NCV successor
Aka: Win32/KillDisk.NCV
Special feature:
- Requires an initial compromise of the system before it can be executed. An execution was observed after the compromise of a Windows domain controller. For other observations of the software, the first compromise was not identified.
- Data erasure technique, exploited through EaseUS.
- It directly targets Windows devices (Windows XP, Vista, Seven, 10 and 11) and then manipulates the MBR (master boot record). This is an area on a hard disk that allows the computer (the operating system to be more precise) to understand how to read and write to the media. If the MBR is corrupted, the computer will never be able to boot again, everything will have to be reinstalled and all data will be lost.
- Targeted attack
Capability: allows access to physical disks, corrupt or even lose data.
Recommendations: Enable sandboxing
CADDYWIPER
ESET analysts discovered a new wiper called CaddyWiper, known to specialists as Win32/KillDisk.NCX. It differs from HermeticWiper or IsaacWiper and shares no code similarities with them.
It is a data erasure malware. This is the fourth to hit Ukraine.
THE THORNY ISSUE OF ATTRIBUTION
The subject of attribution on these latest attacks is a delicate one. We must caution against making easy accusations without evidence, as this requires obtaining raw data that we do not always have. Attribution of this kind of attack takes time, and the latest attacks in Ukraine are too recent. We need to avoid wild guesses. In the case of Ukraine, the context is very complex even if direct cyber threats in retaliation have been announced by the Russian President in case of interference in the armed conflict.
Finally, there is also a risk that other actors will be opportunistic through Russian aggression, or false flags (“issuing false claims of responsibility”), and take advantage of the surrounding chaos to conduct attacks
THE RUSSIAN CASE
RURANSOM
A new malware has just been detected: RURansom. It is a wiper: it irreversibly encrypts files. It spreads like a worm and is said to target Russia specifically.
It was detected between 26 February and 02 March.
Risk of generalization
We cannot say for sure that this conflict will become widespread.
What is certain is that war 3.0 has begun in Ukraine. All the ingredients are there, negotiations, digital offensives, attempts to destabilize through disinformation.
The fear of global cyberattacks remains, we must expect a diversification of attacks (ransomware, DDOS) and targets.
Indeed, states do not hesitate to use cyber weapons. This was the case with the NotPetya software that paralyzed an entire country.
This type of threat could quite possibly be exported and cause trouble within public organizations (health service, water, civil goods), government infrastructures, and private companies and critical infrastructures, and thus anesthetize countries.
- The telecommunications and Internet infrastructure companies may be targeted.
- The European Central Bank was actually the first to warn of an imminent risk of attack on financial institutions.
- The US has mentioned suffering reconnaissance attacks on its energy sector and attributes these offensives to the Russian state.
- Manipulation and destabilization is another threat called disinformation. Certainly there are no direct victims, but the threat is insidious. Many false bomb threats are currently raging in Ukraine, sowing chaos, fear. False information is circulating cultivating doubt. Propaganda is a weapon.
Cyber actions
Ukraine is preparing for all eventualities, such as deleting its computer servers, transferring its sensitive data out of Kiev, immediately cutting off access to compromised accounts. The U.S. and Europe have sent cyber experts to help Ukraine modernize its computer systems. But with the intensification of the threat, the teams have had to relocate and are now only reachable remotely, which would become complicated in case of a cyber attack.
The Ukrainian government would have even called upon the cyber attackers of its country to defend itself against a possible threat, and favors cyber espionage. This request was echoed, as we quickly saw messages of support in the forums of hackers of the Darkweb.
The war is also waged on the field of disinformation. By producing a lot of fake news, Russia tries to justify its military actions.
There is no shortage of examples, including the accusation that Ukraine is committing acts of aggression against the Donbass, or that Ukrainian and Polish soldiers have attacked chemical plants.
Faced with these attacks, Ukrainian activists “fact-checkers” with the support of journalists on the spot and Bellingcat, make every effort to prove the inaccuracy of these accusations.
The hacker collective Anonymous has also followed suit by disabling several Russian government websites (Russia Today, RT.com).
And in France?
France remains “privileged” in some aspects; in fact we are less dependent on gas due to our nuclear power production, and our collaboration with Norway. As for wheat, again we have a strong cereal production on French soil, making us safe from a possible shortage.
Regarding the risk of cyber attacks, France is exposed to cyber attacks in the same way as other countries, so the ANSSI has issued a statement calling for vigilance. It warns of possible effects in cyberspace and asks each company to strengthen their cybersecurity measures. The same goes for institutions and OIV.
It also mentions the VSEs and SMEs, which are not safe from being the target of attackers.
As a reminder here are some links regarding digital hygiene:
https://www.ssi.gouv.fr/uploads/2017/01/guide_hygiene_informatique_anssi.pdf
https://www.ssi.gouv.fr/entreprise/bonnes-pratiques/
A possible Cyber response in France is being considered by the French government, which has put in place actions and is asking to increase its level of vigilance with all its institutions.
The ANSSI is in the front line, it has issued an alert bulletin, which we had relayed in a previous article.
The French prefects are also mobilized. President MACRON has asked them not to move away from their place of assignment and has imposed on them “the availability of all mobilized and mobilizable services”.
The digital risk can affect all institutions: city halls, regional bodies, local authorities, but also large groups directly or indirectly via attacks on their supply chains, SMEs are also concerned.
In addition to these measures, the Councils of Ministers are following each other, both in France and in Europe.
France and Europe, must prepare for attacks, it is now a weapon like any other. The cyber war is not new, it is highlighted today by the media. We can see here the place that the cyber world has on the world chessboard.
How to get ready?
More than ever, it will be necessary for companies to prepare themselves in case of an attack, to anticipate as much as possible, through an efficient and tested BCP (Business Continuity Plan), and to reinforce their technological defense. Companies will have to redouble their vigilance regarding their partners and service providers. Because the attackers will target the supply chains. As a reminder, many Ukrainian organizations directly supply Fortune 500 companies, and 35 CAC 40 groups are located in Russia (TotalEnergies, Renault, Auchan…)
We recommend to :
- Follow the FR CERT: https://www.cert.ssi.gouv.fr/
- Follow ANSSI recommendations: https://www.ssi.gouv.fr/actualite/tensions-internationales-renforcement-de-la-vigilance-cyber/
- Update all of your OS.
- Remind your employees of the importance of cyber risks and raise awareness to alert on all unusual events.
If you need support or have questions about the protections you are equipped with, contact us.