Ukraine on High Alert: Denial-of-Service and Wiper Attacks Thursday, February 24, 2022 By: Secureworks
On February 24, 2022, Russia launched a military incursion into Ukraine. Late on February 23, Secureworks Counter Threat Unit™ (CTU™) researchers investigated reports of denial-of-service and wiper attacks impacting Ukrainian government entities and financial institutions. Currently available information indicates that these attacks are deliberately focused on Ukrainian organizations, and do not employ ‘wormable’ propagation capability such as that used by NotPetya in 2017, reducing the potential for these attacks to spread beyond Ukraine’s borders.
Further disruptive attacks on Ukrainian entities in support of ongoing Russian military operations are likely. As is the potential for reprisal cyber-attacks following any Western economic sanctions conducted either by Russian government-backed threat actors or, more-likely, by independent threat actors with a pro-Russian agenda.
Computer Emergency Response Teams around the world such as US CISA, the UK National Cyber Security Centre and the European Union Agency for Cybersecurity (ENISA) have all published joint guidance on best practises to help organisations raise their cyber resilience.
CTU researchers are actively working on threats that could be related to the escalating conflict and are collaborating closely with the Joint Cyber Defence Collaborative and with other public and private sector partners.
Numerous threat intelligence products have been published since mid-January, including most recently an advisory on February 21. Countermeasures are being developed for any tools identified by CTU researchers as potentially related to this situation and will be deployed in production following a period of review and tuning. Even while in tuning mode, CTU researchers will monitor for any observed impact to Secureworks customers and notify them directly as appropriate.
Recommendations:
Due to the rapidly deteriorating security situation in Ukraine and the speed at which cyber-attacks can unfold, customers are strongly advised to consider logically separating business operations located in Ukraine from other global networks. This includes severing any persistent VPN connections or remote network shares to suppliers or business partners with operations located in Ukraine. Organizations with operations in Ukraine should also prepare for continuity of operations in the case of power disruptions or loss of other business-critical services.
In view of the potential for reprisal attacks in response to any Western sanctions or military response, customers are advised to:
- Review their business continuity plans and restoration processes in the event of ransomware-style or wiper malware attacks.
- Maintain fundamental security practices such as patching internet-facing systems against known vulnerabilities, implementing and maintaining antivirus solutions, and monitoring endpoint detection and response solutions.
- Monitor for and follow advice issued by the U.S. State Department or their equivalent government department / ministry of foreign affairs.
originally published onhttps://www.secureworks.com/blog/russia-ukraine-crisis
