The Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) updated their advice on the WhisperGate and HermeticWiper malware variants in a joint alert released this weekend.
The federal authorities issued a warning to US organizations and corporations after WhisperGate and HermeticWiper were identified being used against Ukrainian groups in the run-up to Russia's invasion of the country.
There is no specific threat targeting companies in the United States of America, according to CISA and the FBI.
"In the wake of ongoing denial of service (DoS) and destructive malware attacks targeting Ukraine and other countries in the region, CISA has been working hand-in-hand with our partners to identify and quickly share information about malware that could threaten the operations of critical infrastructure here at home," says CISA Director Jen Easterly.
Our public and private sector partners, as well as international computer emergency readiness team (CERT) partners and our long-time friends at the FBI, are all working together as part of the Joint Cyber Defense Collaborative (JCDC) to help businesses reduce their cyber risk.
According to the Center for Internet Security, US businesses should take preventive measures such as enabling multifactor authentication and antimalware software deployment, as well as spam filtering, software upgrades, and network traffic filtering (CISA).
A joint advice from CISA and the National Institute of Standards and Technology addresses destructive malware targeting Ukrainian enterprises. CISA's Shields Up webpage has been updated to incorporate additional services and information, as well as recommendations for corporate leaders and measures to protect vital assets.
CISA has also developed a new Shields Up Technological Guidance webpage, which offers more information on the different cyberattacks that Ukraine is now facing, as well as technical solutions to combat the threats.
"The FBI, in concert with our federal partners, continues to discover hostile cyber activity that targets our critical infrastructure sector," Assistant Director Bryan Vorndran, a spokeswoman for the FBI Cyber Division, stated.
"We continue to exchange information with our public and private sector partners and encourage them to report any suspicious activity as part of our ongoing efforts to disrupt and mitigate these risks (which we cannot do on our own). Organizations are encouraged to continue to improve their systems in order to avoid any major setbacks in the case of an incident."
Hundreds of systems at at least two Ukrainian government agencies were entirely destroyed after a cyberattack in January that employed the WhisperGate malware. According to a comprehensive blog post written by Microsoft on the matter, WhisperGate was first discovered on January 13th. A number of security firms have issued warnings and undertaken investigations into the virus since its discovery.
The malware's purpose, according to CrowdStrike, is to "irreversibly destroy the data of the infected hosts while attempting to masquerade as actual ongoing ransomware operations," according to a follow-up analysis on WhisperGate.
According to CrowdStrike, "the WhisperGate bootloader does not include a decryption or data recovery mechanism, and therefore is incompatible with malware that is commonly employed in ransomware operations."
"Similar activities were observed in VOODOO BEAR's destructive NotPetya malware, which included a component that pretended to be a genuine version of Microsoft's chkdsk utility and corrupted the infected host's Master File Table (MFT), which is an essential component of Microsoft's NTFS file system, after the host was rebooted. The WhisperGate bootloader, on the other hand, is less advanced, and at present point there is no technological overlap between it and the VOODOO BEAR activities."
The WhisperGate infection was discovered in Kitsoft's own systems, according to the company that produced around 50 of Ukraine's government websites.