Windows is in Moscow’s crosshairs, too

Credit to Author: Preston Gralla| Date: Fri, 25 Feb 2022 03:00:00 -0800

Russia telegraphed its intentions to invade Ukraine well ahead of this week’s attack by massing nearly 200,000 soldiers along Ukraine’s borders, and by Vladimir Putin’s increasingly belligerent threats.

Behind the scenes, Russia was doing more than that, including dangerous cyberattacks launched against Ukraine. And as is typically the case in such attacks, Windows was the attack vector.

“We’ve observed destructive malware in systems belonging to several Ukrainian government agencies and organizations that work closely with the Ukrainian government, Tom Burt, Microsoft corporate vice president for customer security and trust, wrote in a blog post in mid-January. “The malware is disguised as ransomware but, if activated by the attacker, would render the infected computer system inoperable.” In a related technical post detailing how the malware works, Microsoft added: “These systems [under cyberattack] span multiple government, non-profit, and information technology organizations, all based in Ukraine.”

Notably, money was not the object of the attacks. Instead, the attackers wanted to destroy systems and data. And they succeeded. The malware attacked Windows-based systems, overwriting Master Boot Records (MBR) with a ransom note. Microsoft explains, “The MBR is the part of a hard drive that tells the computer how to load its operating system.”

After the infection, “ehe malware executes when the associated device is powered down,” Microsoft said. “Overwriting the MBR is atypical for cybercriminal ransomware. In reality, the ransomware note is a ruse and the malware destructs MBR and the contents of the files it targets.” (The malware attacks files in other ways as well.)

The attacks, in essence, were the first act of war against Ukraine; they likely presage more to come now that full-on war has begun.

Just before Russia’s invasion, another — possibly more dangerous — cyberattack against Ukraine arose, according to CIODive; that attack uses WatchGuard firewall appliances to spread malware. John Hultquist of Mandiant Threat Intelligence told CIODive, “In light of the crisis in Ukraine, we are very concerned about this actor, who has surpassed all others we track in terms of the aggressive cyberattacks and information operations they have conducted. No other Russian threat actor has been so brazen and successful in disrupting critical infrastructure in Ukraine and elsewhere.”

The same post also warns about a new piece of malware targeting Windows machines in Ukraine: HermeticWiper, whose sole purpose is to destroy data (also by targeting their MBR).

There’s reason to believe more is coming. “U.S. authorities have warned for months about the potential collateral damage of a Russian military incursion into Ukraine,” CIODive reported. The new cyber activity could ricochet through multinational businesses, supply chains and key infrastructure facilities, like transportation, energy and healthcare.”

In a similar vein, CybersecurityDive explained how cyberattacks can quickly spread and compound each other. “As international pressure grows over Russia’s conflict with Ukraine, major U.S. enterprises — particularly those operating critical infrastructure — are in the crosshairs of a nation-state military standoff that could easily spill onto the cyber terrain. Russia, largely isolated by the United States and key NATO allies, has demonstrated the will and ability to leverage a sophisticated arsenal of cyber capabilities from its military intelligence arm and a range of proxies from the country’s criminal underground.”

US government officials believe the US will be also targeted. Earlier this month, ABC News cited a US Department of Homeland Security note that warned: “We assess that Russia would consider initiating a cyberattack against the Homeland if it perceived a US or NATO response to a possible Russian invasion of Ukraine threatened its long-term national security.”

Given Putin’s apparent paranoia, there’s little doubt he believes US and NATO responses to the invasion — including sanctions and other forms of economic pain — will threaten Russia’s long-term national security. So, we can expect attacks to begin at any point.

What does this mean for business? Plenty. With Russian cyberattacks against the United States, even if your company doesn’t operate critical infrastructure or have anything to do with finances or security, it will be in the crosshairs. When wide-ranging attacks are launched, they take on a life of their own and target any business they can.

If companies haven’t already undertaken stepped-up security precautions, they’re already late. It’s time to harden your outer defenses. Patch every system that can be patched. Check Microsoft’s security bulletins. Teach your staff how recognize email-borne and mobile-borne attacks.

And recognize that this is just the beginning. This war is just the first in which cyberattacks will accompany real-world damage. Given humankind’s penchant for warfare, more wars will follow. And Windows, because of its widespread use, will remain a key target.

http://www.computerworld.com/category/security/index.rss