The U.S. Cybersecurity and Infrastructure Agency (CISA) has urged a “Shields Up” defense in depth approach, as Russian use of wiper malware in the Ukrainian war escalates. The Russian malware “HermeticWiper” and “Whispergate” are destructive attacks that corrupt the infected computers’ master boot record rendering the device inoperable. The wipers effectuate a denial of service attack designed to render the device’s data permanently unavailable or destroyed. Although the malware to date appears to be manually targeted at selected Ukrainian systems, the risks now escalate of a spillover effect to Europe and the United States particularly as to: (i) targeted cyber attacks including on critical infrastructure and financial organizations; and (ii) use of a rapidly spreading indiscriminate wiper like the devastating “NotPetya” that quickly moves across trusted networks. Indeed, Talos researchers have found functional similarities between the current malware and “NotPetya” which was attributed to the Russian military to target Ukranian organizations in 2017, but then quickly spread around the world reportedly resulting in over $10 billion dollars in damage.[1] The researchers added that the current wiper has included even further components designed to inflict damage.

The CISA alert issued on February 26, 2022 warns that, “[d]estructive malware can present a direct threat to an organization’s daily operations, impacting the availability of critical assets and data. Further disruptive cyberattacks against organizations in Ukraine are likely to occur and may unintentionally spill over to organizations in other countries. Organizations should increase vigilance and evaluate their capabilities encompassing planning, preparation, detection, and response for such an event.” The United Kingdom’s National Cyber Security Centre (NCSC) has also issued an alert emphasizing, “Recent cyber activity in and around Ukraine fits with pattern of Russian behavior previously observed, including in the damaging NotPetya incident.” Our blogs consistently highlight the intersection of cybersecurity legal requirements and information security safeguards, and the importance of a risk based defense in depth, e.g., addressing risks from cyber threats in supply chain, Internet of Things (IoT) devices and related IoT standards, and remote workforce, employing NIST and other risk reduction frameworks. Regulatory obligations require a risk based approach to cybersecurity, and, right now, as highlighted by the CISA and NCSC guidance, the risk is higher than normal and escalating.

The defense in depth guidance provided by CISA and NCSC is comprehensive, but it is worth highlighting certain key steps to pay particular attention to right now given the current crisis:

  • communicate to every employee the need to be hyper vigilant and on guard for phishing, smishing and other social engineering attacks. It is a good time to emphasize the cyber risks inherent to the organization from the Ukraine war, the increased possibility of targeted cyber attacks and to remind staff never to open untrusted links or email attachments. Advise employees to report any unusual activity immediately.
  • ensure that backups are in place, logically and physically segregated from other systems, and fully tested, so that in the result of a wiper or other denial of service attack on the availability of systems and data, the organization is confident that operations can be restored. Review the organization’s Incident Response Plan now in light of the ongoing events in Ukraine.
  • if a device becomes infected with a wiper, immediately disconnect the infected computer, laptop or tablet from all network connections, whether wired, wireless or mobile phone based. See NCSC Mitigating Malware Attacks.
  • in urgent circumstances, if your organization becomes infected across multiple devices, consider whether to take the defensive measure of temporarily unplugging your network from the internet, including disabling core network connections to limit damage. Plan now for this possibility, considering the costs and benefits, because you may have to make an immediate decision (e.g., NotPetya spread around the globe jumping from trusted network to network at a rapid pace). See NCSC Steps to take if your organization is already infected.
  • as part of your Incident Response Plan, have in place alternative means to communicate with your workforce if an incident occurs and you cannot use your email, voice over IP or other normal communication channels. This should be a key element in your planning.
  • run an updated vulnerability scan on all internet facing systems, and as always, eliminate unneeded ports and services. CISA has published a list of the most commonly exploited vulnerabilities. Per NCSC guidance: “Perform an external vulnerability scan of your whole internet footprint and check that everything you need to patch has been patched. Internet-connected services with unpatched security vulnerabilities are an unmanageable risk.”
  • have in place a plan in the event your supply chain is disrupted. Plan now for alternatives if one of your partners or suppliers suffers a wiper or other denial of service attack, resulting in unavailability of services.
  • secure your Domain Name System (DNS) service – the Internet’s phonebook. Be prepared for a Denial of Service attack on your primary DNS. Also, your organization should be actively monitoring its DNS traffic for indicators of compromise, and also to track malware, including the source and endpoints infected. See our blog articles here and here, and presentation, and, e.g., CISA – Technical Approaches to Uncovering and Remediating Malicious Activity.

EBG is available to assist in connection with CISA’s and NCSC’s guidance and to prepare for future near term cyber risks: “While there are no specific or credible cyber threats to the U.S. homeland at this time, Russia’s unprovoked attack on Ukraine, which has involved cyber-attacks on Ukrainian government and critical infrastructure organizations, may impact organizations both within and beyond the region, particularly in the wake of sanctions imposed by the United States and our Allies. Every organization—large and small—must be prepared to respond to disruptive cyber activity.”

Any questions may be directed to the author.

Brian G. Cesaratto is a Certified Information Systems Security Professional (CISSP) and Certified Ethical Hacker (CEH).

***************************

[1] See Andy Greenberg. The Untold Story of NotPetya, the Most Devastating Cyberattack in History. Wired (August 22, 2018).

Back to Health Law Advisor Blog

Search This Blog

Blog Editors

Authors

Related Services

Topics

Archives

Jump to Page

Subscribe

Sign up to receive an email notification when new Health Law Advisor posts are published:

Privacy Preference Center

When you visit any website, it may store or retrieve information on your browser, mostly in the form of cookies. This information might be about you, your preferences or your device and is mostly used to make the site work as you expect it to. The information does not usually directly identify you, but it can give you a more personalized web experience. Because we respect your right to privacy, you can choose not to allow some types of cookies. Click on the different category headings to find out more and change our default settings. However, blocking some types of cookies may impact your experience of the site and the services we are able to offer.

Strictly Necessary Cookies

These cookies are necessary for the website to function and cannot be switched off in our systems. They are usually only set in response to actions made by you which amount to a request for services, such as setting your privacy preferences, logging in or filling in forms. You can set your browser to block or alert you about these cookies, but some parts of the site will not then work. These cookies do not store any personally identifiable information.

Performance Cookies

These cookies allow us to count visits and traffic sources so we can measure and improve the performance of our site. They help us to know which pages are the most and least popular and see how visitors move around the site. All information these cookies collect is aggregated and therefore anonymous. If you do not allow these cookies we will not know when you have visited our site, and will not be able to monitor its performance.