Cyber Pulse: Edition 176 | 24 February 2022

QA's practice director of Cyber Security, Richard Beck, rounds up this week's cyber security news.

Russia uses destructive cyber-attacks in Ukraine, doesn’t respect geographical boundaries

As Russia invades Ukraine, the National Cyber Security Centre (NCSC) warned UK organisations to prepare for Russian cyber-attacks. How concerned should we be?

Cyber-attacks, phishing attempts and particularly ransomware is not new. Proofpoint’s 2022 State of the Phish report points out that 91% of UK organisations were successfully compromised by an email phishing attack last year. According to the January 2022 Advance Threat Research Report from Trellix, the financial sector was the most targeted sector seeing 22% of ransomware and 37% of advanced persistent threat (APT) detections – followed by utilities, retail and government. Notwithstanding the geopolitical tensions in Ukraine, Russian and Chinese nation-state-backed groups were believed to be responsible for nearly half (46% combined) of all observed APT threat activity, according to the Trellix research.

The US Cybersecurity Infrastructure Security Agency (CISA) stated: “Public and private entities in Ukraine have suffered a series of malicious cyber incidents, including web defacement and private sector reports of potentially destructive malware on their systems.”

This was confirmed by the Ukraine Cyber Unit of the SSU Lviv Office who carried out investigations together with the National Police investigators under the supervision of Halych District Prosecutor’s Office, as reported by the SSU.

US President Biden responded, “If they continue to use cyber efforts, well, we can respond the same way, with cyber.”

Lindy Cameron, Chief Executive of the NCSC remarked this week, “Cyber-attacks do not respect geographic boundaries”.

The United States Department of Justice (DoJ) has revealed new policies that may see it undertake pre-emptive action against cyber threats. US Deputy Attorney General Lisa O Monaco, in a speech at the recent Munich Cyber Security Conference, said the policy will see prosecutors, agents and analysts assess "whether to use disruptive actions against cyber threats, even if they might otherwise tip the cybercriminals off and jeopardise the potential for charges and arrests." She added that DoJ personnel are to work directly with partners, such as at US Cyber Command and elsewhere, "to achieve unity of purpose and unity of action."

Sandworm and Cyclops Blink

A few weeks ago, Microsoft announced that its researchers had discovered destructive "wiper" malware on dozens of Ukraine government and tech organisation platforms. This looks like ransomware, smells like ransomware but is in fact destructive wiper malware, a variant of the infamous NotPetya malware. In 2017, NotPetya was identified by the US authorities to be a Russian GRU creation under the Sandworm group, it caused widespread damage to critical infrastructure.

Hybrid cyber warfare actors are well funded, highly skilled and very experienced in this type of tradecraft, having exercised their capability close to home for many years. Sandworm (also tracked as Voodoo Bear, BlackEnergy, and TeleBots) is an elite Russian-sponsored cyberespionage group active since the mid-2000s. Its members are believed to be military hackers part of Unit 74455 of the Russian GRU's Main Center for Special Technologies (GTsST). This hacking group has been linked to the BlackEnergy malware behind the Ukrainian blackouts of 2015 and 2016 [1, 2, 3].

This group, and other geopolitical proxies allied to Russia, will cause significant disruption to organisations and their supply chains caught up in the overspill of this conflict. Destructive malware sometimes called wiper malware has the ability to destroy all data stored in a system as well as make it impossible to recover it. Attacks are indiscriminate and can be widespread as targeted tech infrastructure and software applications used within Ukraine are also used elsewhere in the world, underpinning the global digital economy.

Today, further guidance has been issued in a joint advisory led by the UK NCSC.

"The malware dubbed Cyclops Blink appears to be a replacement for the VPNFilter malware exposed in 2018, and its deployment could allow Sandworm to remotely access networks," the UK NCSC said today. "In common with VPNFilter, Cyclops Blink deployment also appears indiscriminate and widespread," the joint advisory adds.

"The actor has so far primarily deployed Cyclops Blink to WatchGuard devices, but it is likely that Sandworm would be capable of compiling the malware for other architectures and firmware."

WatchGuard issued its own advisory today, saying that Cyclops Blink may have affected roughly 1% of all active WatchGuard firewall appliances, which are devices mainly used by business customers. The malware uses the infected devices' legitimate firmware update channels to maintain access to compromised systems by injecting malicious code and deploying repacked firmware images.

"Cyclops Blink persists on reboot and throughout the legitimate firmware update process. Affected organisations should therefore take steps to remove the malware," the agencies added. "WatchGuard has worked closely with the FBI, CISA and the NCSC, and has provided tooling and guidance to enable detection and removal of Cyclops Blink on WatchGuard devices through a non-standard upgrade process."

All accounts on infected devices should be assumed as being compromised and organisations should immediately remove Internet access to the management interface of affected network devices.

Organisations and their security leaders must get ahead of the ask now

Cyber security is changing. It’s no longer enough to secure your systems and simply make your people "aware". They must know what to do. Training and testing your people is the only way to get real resilience, they’re the ones who react when your perimeters are breached. It’s vital to test and train cross-functional situational awareness and help teams prepare for the worst, from the basement to the board.

When crisis hits, your people need to be ready. Active resilience plays a massive role in company security. By training your employees and playing out plans, you’re turning them into fire breaks that defend your entire organisation. Investing in your human firewall is an imperative, because right here, right now, global cybersecurity leaders are calling for a cultural shift into shared responsibility.

Any sector going into crisis requires working with new allies immediately. Organisations are going to have to work with agencies and teams you've never had to before, because as problems grow more complex, the effort of even the most talented team is not enough on its own. When working in a volatile and uncertain environment, multi-team collaboration is the differentiator from your adversaries.

Jen Easterly, Director of US Cybersecurity and Infrastructure Security Agency (CISA), says, “A complex and evolving cyber threat landscape requires a unified response.”

At a glance: NCSC Ukraine security crisis advice

• Keep system patches up to date
• Enable multi-factor authentication
• Ensure backups are in place
• Implement an “effective” incident response plan
• Stay up to date with the latest threat and mitigation information

For NCSC actions to take when the cyber threat is heightened, full details can be found here. 

Train with QA Cyber Security

Interested in learning more about cyber security? QA's Cyber Security practice offers training, labs, certifications and qualifications in a wide range of subjects, including attack and defence, data privacy, security operations, digital forensics and incident response, secure engineering, cyber governance, risk and compliance, cyber intelligence, and cloud security.

Contact us today.