The US government has urged organizations to shore up defenses "now" in response to website defacements and destructive malware targeting Ukraine government websites and IT systems.
The US Cybersecurity and Infrastructure Security Agency (CISA) has published a new 'CISA Insights' document aimed at all US organizations, not just critical infrastructure operators. The checklist of actions is CISA's response to this week's cyberattacks on Ukraine's systems and websites, which the country's officials have blamed on hackers linked to Russian intelligence services.
Ukraine officials also told media that dozens of systems in at least two government agencies were wiped during an attack last week.
The use of destructive malware is reminiscent of NotPetya in 2017, which was effectively ransomware that lacked a recovery mechanism. It hit several global businesses, most notably shipping giant Maersk which needed to overhaul 45,000 desktops and 4,000 servers, although the actual target was probably businesses in Ukraine. Many NotPetya victims were infected through a hacked update for a Ukrainian software accounting package.
"The identification of destructive malware is particularly alarming given that similar malware has been deployed in the past—e.g., NotPetya and WannaCry ransomware—to cause significant, widespread damage to critical infrastructure," CISA notes in the Insights document.
Prior to the latest cyberattacks on Ukraine, CISA published an advisory aimed primarily at US critical infrastructure operators detailing recent Russian state-sponsored hacker tactics, techniques, and attacks on enterprise systems such as VPNs, Microsoft Exchange, VMware, Oracle software. It also spotlighted destructive attacks on operational technology (OT)/industrial control systems (ICS) networks in the US and Ukraine.
The new CISA document stresses that "senior leaders at every organization in the United States are aware of critical cyber risks and take urgent, near-term steps to reduce the likelihood and impact of a potentially damaging compromise." It added "If working with Ukrainian organizations, take extra care to monitor, inspect, and isolate traffic from those organizations; closely review access controls for that traffic."
Microsoft on Saturday said it had found destructive malware on dozens of systems at government, non-profit and IT organizations, all located in Ukraine. The malware displays a ransom demand but this is just a ruse, as it overwrites the Windows Master Boot Records (MBR) and lacks a recovery mechanism, according to Microsoft.
Multi-factor authentication is central to CISA's recommendations. It should be used by all organizations for network and systems that require privileged or admin access. The other is patching systems with available updates. Also, organizations should disable all non-essential ports and protocols, implement controls for using cloud services, and conduct vulnerability scanning.
CISA also recommends preparing a crisis-response team, developing response plans and nominating key personal, and practicing incident response.
To build resilience to destructive malware, CISA urges everyone to test backup procedures, ensure backups are isolated from network connections, and ensure that critical data can be rapidly restored. Organizations with ICS or OT systems should endure critical functions remain operable in a network outage.