Threat Response: Situation in Ukraine
In our threat response on the 24th of February we have informed you on the cyber component of the attacks on Ukraine. Since then, there are some minor updates with regards to the specific cyber threat. In this threat response, we would like to provide you with this update as well as inform you on next steps to take.
Update on cyber threats
In addition to the malware we have reported on earlier, some additional components of this malware have been identified. Additionally, a new wiper called IsaacWiper was identified. This does not change our earlier assessment: If your organization has network connections to Ukrainian, Belarussian or Russian locations or business units, there is a risk that your systems could be infected with this malware, or other unknown and yet to be discovered malware. Northwave classifies the risk as high if there are network connections to Ukrainian, Belarussian or Russian locations or organizations. For the time being, it seems that these cyber-attacks are only aimed at Ukrainian organizations. Northwave considers the risk low for non-Ukrainian organizations that do not have locations or network connections in or with Ukraine, Belarus or Russia.
We have received reports of spearphishing and DDoS attacks taking place on non-Ukranian media outlets. From what we can gather so far, we assess that these attacks take place with Russian-aligned interests in mind. We cannot attribute these attacks to specific actors.
For now, the risks and threats are vague and generic. Targets for attacks might shift from Ukranian only to other organizations, possibly based on if the country they are based in is sanctioning Russia. It is impossible to predict this accurately. Therefore, we would advise you to prepare for attacks and incidents as you normally should.
If you have questions specific to the Ukraine situation, you can contact us at [email protected].
What can you do?
To help organizations better prepare and improve upon their ability to respond should the worst happen we have identified the most important actionable measures to take right now. Again, please note that these measures are not based on the specific situation. They are steps every organization should take in order to be better equipped in handling incidents.
To help you with identifying and addressing a possible incident, ask yourself the following questions:
1 – Do we have an up-to-date incident response process and plan in place?
Make sure you have an up-to-date incident response process and plan in place to use when a security incident occurs. Within these, make sure the following items are strongly defined:• The roles, tasks, and responsibilities during a security incident. Who do you absolutely need (including which suppliers) when a security incident occurs and what do they need to do? During an incident it is crucial that this division of roles and responsibilities is fully clear and that those involved are aware of it. We recommend having at least the following roles in place: a coordinator, a technical lead and a business lead. • The escalation path. Who is going to call who at which point, and who is in charge? At the time of an incident, internal scaling and communication is key to success. Make sure that the way of scaling up and to whom to scale up is clear. • Decision making. Who is responsible and mandated to make key decisions? During incidents, high impact decisions will need to be made under high time pressure. Make clear agreements about who is allowed to make which decisions. Decisions that we see as key within the first 24 hours following an incident are: shutting down the network, defining priorities within systems and processes, and managing internal/external communication. • External help/advice. Make sure you know how and when to bring in external help and what these parties can help you with. Consider forensic investigations or incident/crisis coordination assistance, and make sure that all responsible know how to contact these parties at all times.
2 – Are our people prepared to act on an incident?
Incidents always occur at times when no-one expects them, and when it is the least convenient. Consider the following:• Go through the incident process with the key participants. Make sure it is clear to everyone what their role is in the event of an incident. Investing time in this now will increase the likelihood that you act quickly as a team as the steps to take are fresh in everyone’s mind.
3 – Do we have the insight and overview of our organization?
As an organization, make sure you have an overview of key risks, assets, and the expected impact during incident. At the time of an incident, many actions and decision you need to make will require information. As a baseline, make sure you have the following:• Critical processes. Have an overview of the most important processes, applications, systems, and servers that are involved in the operation of your organization. • Asset List. Have an overview of the most important assets for the organization. Include servers, applications, and operating systems. • Technical Infrastructure Overview. Have an overview of the organization’s technical infrastructure e.g. network drawings. • Suppliers. Have an overview of your suppliers, including applied services and contact information for each.
4 – What measures can we take at this moment?
The best way to be prepared for an incident is to minimize the chance and impact of an incident.• Enable detection measures. Map out what you do and do not currently monitor, and supplement this with additional detection measures where possible. Pay extra attention to possible exfiltration of data, which often occurs during cyber-attacks these days. EDR solutions such as ESET or Microsoft Defender are able to detect the malware mentioned in this threat response. • Have offline backups and test them. Keep your backups offline as much as possible after they are created. Backups are hugely important for recovering after a cyber-attack, and we recommend you follow the 3-2-1 backup approach. • Be extra alert to possible (spear)phishing attacks. Make employees aware that unusual communication from professional internal and external contacts can be an indication of an attack. Request employees to report any suspicious email to you or to Northwave.
5 – What measures can we expect to take as an organization during an incident?
During incidents, you can assume that actions must be taken at a rapid pace that may have an impact on the organization. To account for this, assess the following measures:• Isolating affected systems. During incidents, affected systems should be isolated as soon as possible. In some cases, the only available route to mitigate the risk is to isolate all systems and disable all network connections. • Changing credentials. Changing credentials is an important measure after a compromise. This may be limited to credentials linked to a compromised server, but in some cases all credentials within an organization should be reset. • Communication. Deploying effective internal and external communications as a measure during an incident allows an organization to maintain control over the situation. Incidents often impact the business and will potentially be noticed by employees, partners, and external stakeholders. Communicating proactively will help you stay in control as an organization.
What will Northwave do?
For Northwave SOC customers using NIDS, or Endpoint Monitoring based on ESET or Microsoft Defender for Endpoint, Northwave is able to detect the currently known malware. For detection on endpoints to be possible it is required to have an EDR agent (ESET or Defender for Endpoint) installed on the vulnerable host. Northwave is continuously updating our detection measures based on the latest information available.
Northwave will continue to monitor any developments regarding this situation. We will keep you up to date.
If new critical information about this threat arises, we will reach out to you. If you need additional information, you can call us by phone or send us an email.
E-mail: [email protected]Do you have an incident right now? Call our CERT number: +31 (0)85 043 7909
Disclaimer applies, see below.
Northwave has made every effort to make this information accurate and reliable. However, the information provided is without warranty of any kind and its use is at the sole risk of the user. Northwave does not accept any responsibility or liability for the accuracy, content, completeness, legality or reliability of the information provided. We shall not be liable for any loss or damage of whatever nature, direct or indirect, consequential or other, whether arising in contract, tort or otherwise, which may arise as a result of your use of, or inability to use, this information or any additional information provided by us in direct or indirect relation to the information provided here.