Shields Up Technical Guidance
Note: CISA will continue to update this webpage as we have further guidance to impart and additional reporting to share. Information contained on this webpage is provided “as-is” for informational purposes only. CISA does not endorse any company, product, or service referenced below.
Russia’s invasion of Ukraine, which has involved cyberattacks on Ukrainian government and critical infrastructure organizations, may impact entities both within and beyond the region. CISA and its Joint Cyber Defense Collaborative (JCDC) partners are responding to ongoing, disruptive cyber activities in connection with Russia's attack by documenting information on Russian threat actors, ransomware, destructive malware, distributed denial of service (DDoS) attacks, and Shields Up protective measures. A collection of technical resources is provided below for users and organizations to reference to stay up to date on the latest cyber threat activity in Ukraine.
In addition to reviewing the activities, see CISA's Shields Up webpage for steps to reduce future risk against these threats in the U.S. homeland.
Russian Threat Actors
Historically, Russian state-sponsored cyber actors have used common but effective tactics to gain access to target networks, including spearphishing, credential harvesting, brute force/password spray techniques, and known vulnerability exploitation against accounts and networks with weak security. Russia’s unprovoked attack on Ukraine, which has involved cyber-attacks on Ukrainian organizations, have enabled cyber actors to acquire sensitive data and disrupt daily operations. The resources listed below provide overviews of the Russian cyber landscape and recommendations on how other organizations and entities can prevent similar attacks.
|April 27, 2022||Microsoft: The hybrid war in Ukraine||Microsoft has released a blog detailing destructive Russian cyberattacks observed in a hybrid war against Ukraine.|
|March 7, 2022||Google: The hybrid war in Ukraine||Google’s Threat Analysis Group (TAG) has observed activity, ranging from espionage to phishing campaigns, from a host of Russian threat actors.|
|February 28, 2022||Microsoft: Cyber threat activity in Ukraine: analysis and resources (updated)||Microsoft has monitored escalating cyber activity in Ukraine to give organizations intelligence on potential attacks and information to implement proactive protections against future attempts.|
|February 4, 2022||Microsoft: ACTINIUM targets Ukrainian organizations||The Microsoft Threat Intelligence Center (MSTIC) shares information on a threat group named ACTINIUM, which has been operational for almost a decade and has pursued access to organizations in Ukraine or entities related to Ukrainian affairs.|
|January 20, 2022||Palo Alto Networks: Threat Brief: Ongoing Russia and Ukraine Cyber Conflict||Beginning on Jan. 14, reports emerged about a series of Russian cyber-attacks targeting numerous Ukrainian government websites. As a result of these attacks, numerous sites were found to be either defaced or inaccessible.|
|January 11, 2022||CISA: Understanding and Mitigating Russian State-Sponsored Cyber Threats to U.S. Critical Infrastructure||This joint FBI, and NSA Cybersecurity Advisory warns organizations of Russian-state sponsored cyber threats and provides an overview of Russian cyber operations; commonly observed tactics, techniques, and procedures (TTPs); detection actions; incident response guidance; and mitigations.|
CISA and JCDC partners have observed the increased use of ransomware in cyber-attacks on U.S. and international organizations. The subsequent resources contain technical details, indicators of compromise (IOCs), and/or recommended mitigations to combat Russian ransomware threats.
|March 1, 2022||CrowdStrike: Decryptable PartyTicket Ransomware Reportedly Targeting Ukrainian Entities||Destructive attacks were conducted against Ukrainian entities. Industry reporting has claimed the Go-based ransomware dubbed PartyTicket (or HermeticRansom) was identified at several organizations affected by the attack.|
|February 28, 2022||CISA: Conti Ransomware||CISA, FBI, and United States Secret Service have observed the increased use of Conti ransomware in more than 400 attacks on U.S. and international organizations. In typical Conti ransomware attacks, malicious cyber actors steal files, encrypt servers and workstations, and demand a ransom payment.|
The resources below detail destructive malware used to destroy an organization’s critical assets and data. These highlighted publications include descriptions of Russian malicious cyber activity, technical details, and recommended mitigations.
|March 1, 2022||ESET Research: IsaacWiper and HermeticWizard: New wiper and worm targeting Ukraine||As the recent hostilities started between Russia and Ukraine, ESET researchers discovered several malware families targeting Ukrainian organizations. These destructive attacks leveraged at least three components: HermeticWiper,
HermeticWizard, and HermeticRansom.
|February 25, 2022||CrowdStrike: CrowdStrike Falcon Protects from New Wiper Malware Used in Ukraine Cyberattacks||CrowdStrike Intelligence discovered new destructive malware known as DriveSlayer, and it’s the second wiper to affect Ukraine following the recent WhisperGate. DriveSlayer is digitally signed using a valid certificate and also abuses a legitimate EaseUS Partition Master driver to gain raw disk access and manipulate the disk to make the system inoperable.|
|February 25, 2022||SecureWorks: Disruptive HermeticWiper Attacks Targeting Ukrainian Organizations||Secureworks® Counter Threat Unit™ (CTU) researchers investigated reports of disruptive activity that began targeting organizations in Ukraine. These attacks reportedly caused intermittent loss of access to government websites belonging to the Ukrainian Ministry of Foreign Affairs, Ministry of Defense, Security Service, Ministry of Internal Affairs, and Cabinet of Ministers.|
|February 24, 2022||IBM: IBM Security X-Force Research Advisory: New Destructive Malware Used In Cyber Attacks on Ukraine||Symantec Enterprise reported a ransomware dubbed as PartyTicket was deployed alongside the HermeticWiper malware. IBM Security X-Force obtained a sample of the PartyTicket ransomware and has provided technical analysis, indicators of compromise, and detections within the PartyTicket section of this blog.|
|February 24, 2022||Broadcom Software: Ukraine: Disk-wiping Attacks Precede Russian Invasion||A new form of disk-wiping malware (Trojan.Killdisk) was used to attack organizations in Ukraine shortly before the launch of the Russian invasion. Symantec, a division of Broadcom Software, has also found evidence of wiper attacks against machines in Lithuania. Sectors targeted included organizations in the financial, defense, aviation, and IT services sectors.|
|February 24, 2022||ESET Research: HermeticWiper: New data wiping malware hits Ukraine||A number of organizations in Ukraine have been hit by a cyberattack that involved new data-wiping malware dubbed HermeticWiper and impacted hundreds of computers on their networks, ESET Research has found.|
|February 23, 2022||Recorded Future: Second data wiper attack hits Ukraine computer networks||Two cybersecurity firms with a strong business presence in Ukraine—ESET and Broadcom’s Symantec—have reported that computer networks in the country have been hit with a new data-wiping attack.|
|February 23, 2022||SentinelOne: HermeticWiper | New Destructive Malware Used In Cyber Attacks on Ukraine||This blog includes the technical details of the wiper, dubbed HermeticWiper, and includes IOCs to allow organizations to stay protected from this attack.|
|February 23, 2022||CISA: New Sandworm Malware Cyclops Blink Replaces VPNFilter||In this Advisory, NCSC-UK, CISA, NSA and the FBI report that the malicious cyber actor known as Sandworm or Voodoo Bear is using new malware, referred to as Cyclops Blink. Cyclops Blink appears to be a replacement framework for the VPNFilter malware exposed in 2018, which exploited network devices, primarily small office/home office routers and network-attached storage devices.|
|February 3, 2022||Palo Alto Networks: Russia’s Gamaredon aka Primitive Bear APT Group Actively Targeting Ukraine||Given the current geopolitical situation and the specific target focus of Primitive Bear APT group, Palo Alto continues to actively monitor for indicators of their operations. In doing so, they have mapped out three large clusters of their infrastructure used to support different phishing and malware purposes. These clusters link to over 700 malicious domains, 215 IP addresses and over 100 samples of malware.|
|January 28, 2022||CrowdStrike: Lessons Learned From Successive Use of Offensive Cyber Operations Against Ukraine and What May Be Next||This blog evaluates major disruptive events against Ukrainian interests in the past and attempts to forecast likely forms and outcomes of future Russian operations within the region.|
|January 15, 2022||Microsoft: Destructive malware targeting Ukrainian organizations||Microsoft Threat Intelligence Center (MSTIC) has identified evidence of a destructive malware operation targeting multiple organizations in Ukraine. This malware first appeared on victim systems in Ukraine on January 13, 2022.|
This section lists resources on other malware from advanced persistent threat (APT) groups.
- Trend Micro: Cyclops Blink Sets Sights on Asus Routers
Distributed Denial of Service (DDoS)
DDoS attacks crash websites or online services by flooding sites with too much traffic, overwhelming networks and thus, making them inoperable. Information in the below resources provide more information on known Russian-state sponsored actor DDoS attacks.
|March 10, 2022||SecurityScorecard: Discovers new botnet, ‘Zhadnost,’ responsible for Ukraine DDoS attacks||SecurityScorecard has identified three separate DDoS attacks which all targeted Ukrainian government and financial websites leading up to and during Russia’s invasion of Ukraine. Details of these DDoS attacks have not yet been publicly identified.|
|March 7, 2022||Zscaler: DanaBot Launches DDoS Attack Against the Ukrainian Ministry of Defense (updated)||A threat actor using DanaBot has launched a DDoS attack against the Ukrainian Ministry of Defense’s webmail server. It is unclear whether this is an act of individual hacktivism, state-sponsored, or possibly a false flag operation.|
Organizations should be prepared to respond to disruptive cyber activity. As the nation’s cyber defense agency, CISA stands ready to help organizations prepare for, respond to, and mitigate the impact of cyber-attacks. We encourage everyone to put their Shields Up and take proactive steps to protect against active threats.
- CISA: Strengthening Cybersecurity of SATCOM Network Providers and Customers
- CISA: Russia Cyber Threat Overview and Advisories
- CISA: Free Cybersecurity Services and Tools
- CISA: Technical Approaches to Uncovering and Remediating Malicious Activity
- MS-ISAC: Protecting Against Potential Russian Cyber-Attacks: Guidance for SLTT Entities
- Broadcom: Shuckworm: Espionage Group Continues Intense Campaign Against Ukraine
- Cisco: Cisco stands on guard with our customers in Ukraine
- F5 SIRT: K42406850: F5 SIRT response to the Ukraine crisis
- IBM: An Update on the Russia/Ukraine Situation
- Mandiant: Ukraine Crisis Resource Center https://www.mandiant.com/resources/insights/ukraine-crisis-resource-center
- Microsoft: Digital technology and the war in Ukraine
- NSA: Stop Malicious Cyber Activity Against Connected Operational Technology
- Palo Alto Networks: Russia-Ukraine Crisis: How to Protect Against the Cyber Impact
- SecureWorks: Russia-Ukraine Crisis
- Splunk: Cybersecurity and the War in Ukraine
Report Activity Related to this Threat
CISA encourages all organizations to urgently report any additional information related to these threats. Users and administrators should flag associated activity, report the activity to CISA (see below) or FBI Cyber Watch (CyWatch), and give the activity the highest priority for enhanced mitigation.
- 1-888-282-0870 (From outside the United States: +1-703-235-8832)
- Report@cisa.gov (UNCLASS)
When cyber incidents are reported quickly, CISA and JCDC partners can use this information to render assistance and help prevent other organizations and entities from falling victim to a similar attack.