Secureworks FAQ: Russian Activity in UkraineBy: Counter Threat Unit Research Team
Last Updated: June 30, 2022
On February 24, 2022, Russia began a military incursion into Ukraine. On February 23 there were ongoing distributed denial-of-service (DDOS), website defacement, and malware wiper attacks targeting Ukrainian government and financial services institutions. This follows similar attacks that occurred in mid-January (including the “WhisperGate” wiper) and earlier in February.
Q. What is the threat to Secureworks® customers?
Russian military operations are likely to include a cyber component. As an example, they may seek to degrade Ukrainian communications networks or critical infrastructure. It is likely that those cyber operations will be targeted, and therefore, are unlikely to impact Secureworks customers other than those who may rely on Ukrainian critical services.
It is highly likely that there will be a response from the U.S., UK, and other European nations, including further economic sanctions. In retaliation, there is the potential for reprisal cyberattacks conducted by Russian government-backed groups or independent pro-Russia threat actors against organizations involved in implementing those sanctions.
Q. What should customers do?
Due to the rapidly deteriorating security situation in Ukraine and the speed at which cyberattacks can unfold, customers are strongly advised to consider logically separating business operations located in Ukraine from other global networks. This includes severing any persistent VPN connections or remote network shares to suppliers or business partners with operations located in Ukraine. Organizations with operations in Ukraine should also prepare for continuity of operations in the case of power disruptions or loss of other business-critical services.
In view of the potential for reprisal attacks in response to any Western sanctions or military response, customers are advised to:
- Review their business continuity plans and restoration processes in the event of ransomware-style or wiper malware attacks.
- Maintain fundamental security practices such as patching internet-facing systems against known vulnerabilities, implementing and maintaining antivirus solutions, and monitoring endpoint detection and response solutions.
- Monitor for and follow advice issued by the U.S. State Department or their equivalent government department / ministry of foreign affairs.
Q. What is Secureworks doing? How am I (as a customer) protected?
The Secureworks Counter Threat Unit™ (CTU) has been tracking Russian threat groups for many years and has built up an extensive knowledge of tools and techniques leveraged by these groups, and countermeasures to detect them. Those groups are profiled on our website at www.secureworks.com/research/threat-profiles.
CTU™ researchers are actively working on threats that could be related to the escalating conflict and are collaborating closely with the U.S. Joint Cyber Defense Collaborative, and other public and private sector partners. Numerous threat intelligence products have been published since mid-January, including an advisory on Monday, February 21. The information available so far indicates that the wiper activity reported in Ukraine has been specifically targeted at Ukrainian government entities and financial services.
For customers using our solutions like Secureworks Taegis, our research team has many existing countermeasures to detect known tools used by Russian threat groups. However, the activity targeting Ukraine will likely employ previously unobserved tools. CTU researchers are analyzing reported threats and developing new countermeasures as appropriate-endpoint countermeasures have been developed for the wiper malware reported on February 23.
Q. Can I get a report specific to my company on the situation?
Due to the challenges of being able to provide detailed guidance based on the specifics of any one organization's security control framework, we are unable to provide specific reports. Organizations are encouraged to review the recommendations and advice issued by the CTU and apply that to their specific context. Secureworks-managed controls will benefit from CTU intelligence applied in the form of countermeasures and known threat indicators, and customers will be alerted to any identified activity in accordance with usual escalation procedures.
Q. Can we have extra vigilance for any activity sourcing from Ukraine or Russia into our networks?
Yes — Secureworks is operating at a heightened state of vigilance for all customers given the situation in Ukraine. Organizations will be alerted to suspicious events in accordance with existing escalation processes. It is important to note that cyberattacks often do not originate from the geography responsible for conducting them; geo-blocking traffic based on its origin country is not an effective defense. However, CTU researchers will continue to apply known threat indicators to managed controls.
Q. We're seeing reports of DDOS attacks outside of Ukraine, for example in Australia. Is this related?
There is the potential for reprisal attacks in response to any Western military response or economic sanctions. We assess it unlikely that Russia will want to get drawn to tit-for-tat cyberattacks with Western nations, and that its focus is more likely to be on achieving its military objectives in Ukraine with minimal Western/NATO intervention. That said, there is the potential for pro-Russia actors operating independent of the state to conduct DDOS or other disruptive attacks. Organizations, particularly those involved in implementing Western sanctions, should be vigilant.
Q. Do you anticipate other threat actors not related to Russia using this situation as a smokescreen?
Potentially. We believe the most likely ongoing high threat for most organizations remains post-intrusion ransomware attacks. Some organizations will also continue to be a target for government-backed threat groups. We may see some of those threat actors incorporate this situation into phishing lures or other social engineering techniques. For most organizations, those threats will continue to be the priority focus areas, and it’s important that vigilance is maintained across the board and the situation in Ukraine doesn’t become too much of a distraction.
Q. To which controls do your countermeasures apply?
The Secureworks Counter Threat Unit™ (CTU) has developed more than 40 countermeasures as a direct result of this effort, in addition to our extensive library of pre-existing countermeasures designed to detect and defend against threats of many kinds. These countermeasures leverage the full breadth of Secureworks® detection capabilities in both our CTP and Taegis™ platforms. This includes RedCloak™ endpoint specific countermeasures, Taegis and CTP platform countermeasures, and network-based countermeasures such as iSensor signatures.
Q. How quickly are signatures being deployed?
As we monitor the situation, the Secureworks CTU™ is actively working on countermeasure coverage for threats as soon as we identify them. In close connection with our customers and partners, we take any information which can be used for network defense and translate these insights into CTP and Taegis countermeasures. Due to the dynamic nature of this event, the timeframes for countermeasure development depends on many factors, including how complete the information is that we have about a specific threat, the time it takes to research and validate this information, and the time it takes to actually create the detections in our various platforms. These activities take time, but our Secureworks CTU is working hard to deploy accurate detections in a timely manner.
Q. Are you applying your controls to all customers or just a subset of them?
Our goal is to spread our protection as wide as we can, so we apply countermeasures to the widest set of customers and partners possible. This means all countermeasures made in response to this event have been applied to all customers where possible.
Q. Would it be a good idea to geo-block all Russian and Ukrainian IP addresses on our firewalls?
If there is no reason for your organization to receive traffic originating from a particular country or region, then blocking all IPs that geo-locate to that country or region is not going to do any harm and may reduce some “noise.” However, that step alone should not be considered an effective preventive control. Even where it may be initially successful, it is relatively trivial to bypass.
Typically, attackers will use infrastructure located all over the world, whether that is to make their activities harder to attribute, easier to blend in with what might be considered legitimate traffic, or to take advantage of faster and more reliable internet infrastructure. In fact, for targeted attacks we almost never see the network traffic originating from the country responsible for conducting the attack. As a more robust preventive control, organizations may consider allow-listing – i.e., only permitting traffic to known and approved internet resources – rather than blocking.
Q. Where can I find indicators relating to this threat?
Secureworks is compiling a list of verified indicators associated with this threat, derived from our own research and from third party reporting. The current list of indicators is available here: https://github.com/secureworks/ukraine-crisis/blob/master/ukraine-crisis-iocs.tsv
It is important to stress, however, that we would expect subsequent cyber activity to use previously unobserved tools and infrastructure. It is important that organizations have controls such as endpoint monitoring and intrusion detection system sensors that can identify behaviors, not just atomic indicators. Doing so will provide more effective and enduring protection than relying on indicator lists.
Q. Is Secureworks conducting threat hunts based on what you’ve seen so far?
Secureworks has performed retroactive searches against customer-provided data for known threat indicators, based on the available intelligence. This includes the wiper activity observed on February 23. These searches continue until corresponding countermeasures can be created, at which point the countermeasures will detect any occurrences of known threats. As new intelligence is gathered, we will continue to perform these indicator searches and transform them into new countermeasures.
Q. What’s the risk to organizations outside of Ukraine from reprisal attacks?
It is possible that the impact of Western sanctions or of cyberattacks conducted against Russian entities by pro-Ukraine threat actors will lead to retaliatory attacks against Western organizations. For example, ransomware groups such as GOLD ULRICK (who operate the Conti ransomware-as-a-service scheme) have threatened to bring their capabilities to bear “in defense of Russia.” The reality, of course, is that these financially motivated groups are already doing everything they can to extort money from organizations outside of Russia, so the threat from these groups has not changed. It remains important that organizations are vigilant, review their business continuity plans, and ensure that they have implemented fundamental controls around patching, multi-factor authentication and endpoint detection and response.
Q. For customers with operations in Russia, how are they likely to be affected?
There are several elements to this. First, economic sanctions implemented by the U.S., EU, and others are having an impact on companies operating in Russia. Secureworks® advises organizations to carefully review those sanctions to identify any impact specific to them. Organizations should also monitor for any updates or announcements by service delivery partners, who are likely reviewing their own postures in light of the sanctions that have been announced so far, and any that might follow.
Second, it is likely that Russia will attempt to implement its own counter sanctions or pass legislation that could impact organizations with physical locations in Russia or those selling into Russian markets. The proposed changes could include the seizure of assets of departing companies. Organizations with employees in the country should be aware that they will be at potential risk of criminal prosecution should they contradict the Russian government narrative around the actions it has taken in Ukraine.
Third, Russia has for some time been prioritizing control over its technology supply chain and internet infrastructure, for example through the 2019 Sovereign Internet Law. This drive to minimize reliance on non-Russian infrastructure and other providers, and to gain comprehensive control over what Russian citizens are permitted to do on the internet, is likely to intensify because of the current situation. Again, it is unclear what impact this desire for data sovereignty might have, but it is conceivable that it could impact, for example, Russian regulations around the provision of services and supplier selection for organizations operating in Russia.
At the very least, organizations that intend to continue to operate in Russia should consider their business continuity plans and alternative options to ensure safety of personnel, security of property and continued delivery of services as a result of counter-sanctions or laws imposed by the Russian government.
Q. Is FoxBlade a new wiper that has been deployed in Ukraine?
FoxBlade is a Microsoft Defender Anti-virus detection name referenced in a Microsoft blog dated February 28, 2022. Secureworks CTU™ researchers have confirmed that FoxBlade signatures detect the HermeticWiper malware. Microsoft may be aware of additional components linked to HermeticWiper that may also be detected by their FoxBlade signatures, but CTU researchers have no evidence to suggest that FoxBlade refers to a completely different wiper.
Q. How might the rise of “hacktivism” impact Secureworks customers?
In response to the military invasion of Ukraine, several threat actors including the Anonymous Collective and the IT Army of Ukraine, supported by Ukraine’s Ministry of Digital Transformation, have declared support for Ukraine and allegedly started targeting state and commercial organizations in Russia or tied to Russia. Other threat actors, such as a collective calling itself Killnet, have expressed their support for Russia and have reportedly conducted cyber operations against Western organizations in several countries.
These operations are typically intended to disrupt or embarrass, often taking the form of denial of service attacks against internet-facing infrastructure or public disclosure of stolen documents. Despite tending to attract media attention, they are mostly low sophistication and low impact with details of the attacks and claims of success typically being hard to independently verify. Nevertheless, organizations that consider themselves at risk, for example because they are at the frontline of sanctions or critical infrastructure in countries that might attract hostility from Russia, should consider their preventative strategy for disruptive attacks, including potentially engaging a dedicated DDoS mitigation service.
Q. What impact might the Ukraine conflict have on neighboring EU countries?
Cyber activity related to the Ukraine conflict, for the most part, has impacted targets in Ukraine and Russia. Beginning mid-January 2022, disruptive cyberattacks were experienced by a range of government and private sector entities. A number of those operations were carried out by Russian nation state threat groups, possibly in a coordinated manner, coinciding with Russian military operations in Ukraine. In at least one case, a wiper attack had a collateral effect on entities in bordering countries.
A wiper attack against satellite communications provider VIASAT was conducted on February 24, 2022, the eve of Russia’s ground invasion into Ukraine. Tens of thousands of VIASAT KA-SAT modems throughout Ukraine and other European Union member countries were rendered inoperable, including KA-SAT devices responsible for the monitoring and control of over five thousand wind turbines in Germany.
On May 10, 2022, the European Union and its member states, along with the U.S. and UK governments, condemned the VIASAT and January 14 WhisperGate wiper attacks, highly certain they were carried out by Russia’s military intelligence agency (aka GRU). Secureworks CTU lacks direct evidence to confirm this attribution but assesses that Russia’s GRU has multiple units with the capabilities and charter to conduct such operations, including IRON VIKING (aka IRIDIUM, ELECTRUM, Sandworm, VOODOO BEAR) and IRON TWILIGHT (aka STRONTIUM, APT28, FANCY BEAR).
A protracted war in Ukraine will likely see further cyber activity intended to aid kinetic military operations or disrupt critical infrastructure functions. Both carry the possibility of intended or unintended spillover impact. Secureworks clients with operations or business relationships in Ukraine, Russia, or in neighboring states should regularly review their business continuity and disaster recovery plans to ensure readiness and resiliency.