Russian Cyberattacks on Ukrainian Assets: What You Need to Know


This week, Russia sent its army to invade various parts of Ukraine on the country’s borders. This invasion, prompted in part by Russia’s annexation of Crimea in 2014 and the proclamation of two republics in the east of the country – the Donetsk People’s Republic and the Luhansk People’s Republic as Russian territory – is a escalation that includes an aggressive cyberattack component.

How is Russia’s invasion of Ukraine affecting the cybersecurity landscape?

Several Ukrainian banks and ministries have become completely inaccessible due to Distributed Denial of Service (DDoS) attacks, the activity of a new malicious wiper called “HermeticWiper” and another new malware called “Cyclops Blink”. Various threat intelligence sources attribute this activity to Russian advanced persistent threat groups APT28, APT29 and sandworm.

How does this affect US cybersecurity?

Running advice from the Cybersecurity & Infrastructure Security Agency (CISA) declare that there is no credible intelligence regarding cyberattacks on US organizations. Organizations should continue to be vigilant, especially if they perform critical infrastructure roles or conduct business transactions with government entities or the country of Ukraine.

What types of attacks should I watch out for?

Phishing tends to be the most popular way for bad guys to deploy their malware. Here are two specific types of attacks that we have seen Russia use:


HermeticWiper deploys a signed driver that releases a wiper to wipe Windows devices after deleting shadow copies and manipulating the Master Boot Record (MBR). HermeticWiper telemetry shows that the malware has been installed on hundreds of machines in Ukraine. The malware’s creation timestamp is December 28, 2021, implying that the attack may have been planned since at least that date.

SentinelOne published a review of HermeticWiper and states thatSentinelOne users are protected against this threat and no action is required. Technical details and IOCs for HermeticWiper can be found here.

Cyclops Blink

Cyclops Blink, believed to be deployed by Sandworm, has currently been seen targeting WatchGuard devices, but could likely be modified to target others as well. If infected, Cyclops Blink persists across reboots and throughout the legitimate firmware update process.

WatchGuard has worked closely with the FBI, CISA, and NCSC, and provided tools/advice to enable detection and removal of Cyclops Blink on WatchGuard devices through a non-standard upgrade process. At the time of writing, it is estimated that approximately 1% of WatchGuard firewall appliances are affected.

WatchGuard provided “simple and easy to implement” steps, Cyclops Blink detection tools, and a four-step diagnosis and remediation plan to help customers diagnose and remediate if necessary. These tips/guidance can be found here.

What is Nuspire doing to keep itself and its customers safe?

Nuspire has multiple sources of intelligence across endpoints, network, and cloud assets.We are actively hunting for threats internally and on client devices for any IOCs and will continue to search for new IOCs as they become available. Our SOC is on heightened alert and sensitive to ongoing active hunts under our Nuspire services. At the time of writing, Nuspire has no known vulnerabilities to the mentioned threats.

What does Nuspire recommend I do to protect my data?

It is important to remain vigilant. Be sure to patch systems that need to be patched. Now would also be a good time to implement any cybersecurity strategies you might have put on the back burner. You should also consider disabling any critical non-commercial services that are exposed to minimize attack vectors. And beware of emails containing suspicious attachments or phishing lures, as these are often used as initial infection vectors.

Future updates

Nuspire will continue to monitor the situation and provide updates on credible threats as they emerge.

The post office Russian Cyberattacks on Ukrainian Assets: What You Need to Know appeared first on nuspired.

*** This is a syndicated blog from the Security Bloggers Network of nuspired written by the Nuspire team. Read the original post at:


Comments are closed.