Ukraine has a healthy IT sector that provides services to companies all over the globe, including over one-fifth of the Fortune 500, according to a website published by Ukraine’s Ministry of Foreign Affairs. For this reason, companies should assess their exposure to cyber attacks connected with the current invasion. HermeticWiper malware is being used against various targets in Ukraine and has already been detected outside of the country. It first appeared almost 12 hours before the beginning of the physical invasion of Ukraine so was likely to be a part of a coordinated effort by Russia. In 2017’s the NotPetya attack, which originated in Ukraine and spread to companies all over the world (it was considered history’s most costly, destructive cyber attack), demonstrates how quickly incidents can spiral out of control
Initial industry analysis suggests HermeticWiper is an MBR wiper and it leverages the legitimate EaseUS Partition Manager drivers to conduct destructive actions. The intent behind the attacks seems similar to the Whispergate malware that was deployed earlier this year against targets in Ukraine, but is considerably more complex. There have also been reports of DDoS attacks against various targets. It is important to note that the internet connects people and organizations from all over the globe. For this reason, cyber attacks against targets in Ukraine can very easily affect people in other countries, making it a realistic concern.
While the above comments and seriousness of the invasion are a cause for concern, there is no need to let potential cyber attacks cause panic for most. There’s currently no reason to believe that the cyber attacks will spread rapidly or affect most organizations in the world. And there’s lots of steps organizations can take to protect themselves. If they haven’t already, organizations should first assess their exposure. Company leaders should examine their infrastructure and operations to look for areas that could turn into potential targets. Do they have any presence in Ukraine? What about the Baltics? They could also take it a step further to be extra cautious and simply assume they’ll be a target. And from that perspective, begin looking for weaknesses to actively address.
Companies that are active in implementing basic security measures have a considerable advantage here. Basic security measures that will help include:
- Install security patches on everything
- Ensure you have capable endpoint protection / MDR on all servers
- Whitelist outbound traffic (if you can, geoblock)
- Secure Active Directory (specific advice available here)
- Establish a process for filtering phishing emails
- Restrict the use of office macros
- Use multifactor authentication when possible
- Backup critical data (preferably air-gapped, read-only backups that cannot be removed or overwritten)
WithSecure remains committed to protecting its clients. For over 30 years, their various products and services have successfully defended people and organizations from attacks across a wide spectrum of threat actors, including nation-states or those acting in support of nation-states. WithSecure’s various products and services block the HermeticWiper malware (detected as TR/KillDisk.BG and TR/KillDisk.EZ) currently seeing use in Ukraine.