H-ISAC TLP:White Threat Bulletins April 29, 2022

On April 28, 2022, an update to the Joint Cybersecurity Advisory (CSA), AA22-057A, by the Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) was released to include additional Indicators of Compromise (IOCs) for WhisperGate and technical details for HermeticWiper, IsaacWiper, HermeticWizard, and CaddyWiper destructive malware, all of which have been deployed against Ukraine since January 2022.

Additionally, specific malware analysis reports (MAR) are provided within the report for the various malware groups below:

• HermeticWiper
• IsaacWiper and HermeticWizard
• CaddyWiper

On January 15, 2022, the Microsoft Threat Intelligence Center (MSTIC) disclosed that malware, known as WhisperGate, was being used to target organizations in Ukraine. According to Microsoft, WhisperGate is intended to be destructive and is designed to render targeted devices inoperable.

On February 23, 2022, several cybersecurity researchers disclosed that malware known as HermeticWiper was being used against organizations in Ukraine. According to SentinelLabs, the malware targets Windows devices, manipulating the master boot record, which results in subsequent boot failure.

On February 26, 2022, the United States Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) released a joint cybersecurity advisory (CSA), AA22-057A, discussing the destructive malware deployed by threat actors against Ukraine organizations to destroy computer systems and render them inoperable prior to Russia invading Ukraine.

Destructive malware can present a direct threat to an organization’s daily operations, impacting the availability of critical assets and data. Further disruptive cyberattacks against organizations in Ukraine are likely to occur and may unintentionally spill over to organizations in other countries. Organizations should increase vigilance and evaluate their capabilities encompassing planning, preparation, detection, and response for such an event.

Health-ISAC is releasing this intelligence report for your increased geopolitical and security awareness. This joint Cybersecurity Advisory (CSA) provides information on WhisperGate and HermeticWiper malware as well as open-source indicators of compromise (IOCs) for organizations to detect and prevent the malware. Additionally, this joint CSA provides recommended guidance and considerations for organizations to address as part of network architecture, security baseline, continuous monitoring, and incident response practices.

Indicators of Compromise have been entered into Health-ISAC's automated sharing platform for those members ingesting automated threat indicators. For posterity, the full PDF report is attached to this alert, and can also be accessed here.

Threat actors have deployed destructive malware, including both WhisperGate and HermeticWiper, against organizations in Ukraine to destroy computer systems and render them inoperable. Listed below are high-level summaries of campaigns employing the malware. CISA recommends organizations review the resources listed below for more in-depth analysis and see the Mitigation section for best practices on handling destructive malware.

On January 15, 2022, Microsoft announced the identification of a sophisticated malware operation targeting multiple organizations in Ukraine. The malware, known as WhisperGate, has two stages that corrupts a system’s master boot record, displays a fake ransomware note, and encrypts files based on certain file extensions. Although a ransomware message is displayed during the attack, Microsoft highlighted that the targeted data is destroyed, and is not recoverable even if a ransom is paid.

For additional information on Microsoft’s blog regarding destructive malware targeting Ukrainian organizations, please see the report here.

On February 23, 2022, cybersecurity researchers disclosed that malware known as HermeticWiper was being used against organizations in Ukraine. According to SentinelLabs, the malware targets Windows devices, manipulating the master boot record and resulting in subsequent boot failure. HermeticWiper was discovered to have similarities to the earlier WhisperGate attacks against Ukraine in which the wiper was disguised as ransomware, according to Broadcom.

Read the full report below.