Blog

Shields Up Technical Guidance

Released

Note: CISA will continue to update this webpage as we have further guidance to impart and additional reporting to share. Information contained on this webpage is provided “as-is” for informational purposes only. CISA does not endorse any company, product, or service referenced below.

Russia’s invasion of Ukraine, which has involved cyberattacks on Ukrainian government and critical infrastructure organizations, may impact entities both within and beyond the region. CISA and its Joint Cyber Defense Collaborative (JCDC) partners are responding to ongoing, disruptive cyber activities in connection with Russia's attack by documenting information on Russian threat actors, ransomware, destructive malware, distributed denial of service (DDoS) attacks, and Shields Up protective measures. A collection of technical resources is provided below for users and organizations to reference to stay up to date on the latest cyber threat activity in Ukraine. 

In addition to reviewing the activities, see CISA's Shields Up webpage for steps to reduce future risk against these threats in the U.S. homeland. 

Russian Threat Actors

Historically, Russian state-sponsored cyber actors have used common but effective tactics to gain access to target networks, including spearphishing, credential harvesting, brute force/password spray techniques, and known vulnerability exploitation against accounts and networks with weak security. Russia’s unprovoked attack on Ukraine, which has involved cyber-attacks on Ukrainian organizations, have enabled cyber actors to acquire sensitive data and disrupt daily operations. The resources listed below provide overviews of the Russian cyber landscape and recommendations on how other organizations and entities can prevent similar attacks. 

Publication DateTitleDescription
April 27, 2022Microsoft: The hybrid war in Ukraine Microsoft has released a blog detailing destructive Russian cyberattacks observed in a hybrid war against Ukraine.
March 7, 2022Google: The hybrid war in Ukraine Google’s Threat Analysis Group (TAG) has observed activity, ranging from espionage to phishing campaigns, from a host of Russian threat actors.
February 28, 2022 Microsoft: Cyber threat activity in Ukraine: analysis and resources (updated) Microsoft has monitored escalating cyber activity in Ukraine to give organizations intelligence on potential attacks and information to implement proactive protections against future attempts.
February 4, 2022Microsoft: ACTINIUM targets Ukrainian organizations The Microsoft Threat Intelligence Center (MSTIC) shares information on a threat group named ACTINIUM, which has been operational for almost a decade and has pursued access to organizations in Ukraine or entities related to Ukrainian affairs.
January 20, 2022Palo Alto Networks: Threat Brief: Ongoing Russia and Ukraine Cyber Conflict Beginning on Jan. 14, reports emerged about a series of Russian cyber-attacks targeting numerous Ukrainian government websites. As a result of these attacks, numerous sites were found to be either defaced or inaccessible. 
January 11, 2022CISA: Understanding and Mitigating Russian State-Sponsored Cyber Threats to U.S. Critical Infrastructure This joint FBI, and NSA Cybersecurity Advisory warns organizations of Russian-state sponsored cyber threats and provides an overview of Russian cyber operations; commonly observed tactics, techniques, and procedures (TTPs); detection actions; incident response guidance; and mitigations. 

 

Ransomware

CISA and JCDC partners have observed the increased use of ransomware in cyber-attacks on U.S. and international organizations. The subsequent resources contain technical details, indicators of compromise (IOCs), and/or recommended mitigations to combat Russian ransomware threats. 

Publication DateTitleDescription
March 1, 2022CrowdStrike: Decryptable PartyTicket Ransomware Reportedly Targeting Ukrainian Entities Destructive attacks were conducted against Ukrainian entities. Industry reporting has claimed the Go-based ransomware dubbed PartyTicket (or HermeticRansom) was identified at several organizations affected by the attack. 
February 28, 2022 CISA: Conti RansomwareCISA, FBI, and United States Secret Service  have observed the increased use of Conti ransomware in more than 400 attacks on U.S. and international organizations. In typical Conti ransomware attacks, malicious cyber actors steal files, encrypt servers and workstations, and demand a ransom payment. 

 

Destructive Malware

The resources below detail destructive malware used to destroy an organization’s critical assets and data. These highlighted publications include descriptions of Russian malicious cyber activity, technical details, and recommended mitigations.

Publication DateTitleDescription
March 1, 2022ESET Research: IsaacWiper and HermeticWizard: New wiper and worm targeting Ukraine As the recent hostilities started between Russia and Ukraine, ESET researchers discovered several malware families targeting Ukrainian organizations. These destructive attacks leveraged at least three components: HermeticWiper,

HermeticWizard, and HermeticRansom.
February 25, 2022CrowdStrike: CrowdStrike Falcon Protects from New Wiper Malware Used in Ukraine CyberattacksCrowdStrike Intelligence discovered new destructive malware known as DriveSlayer, and it’s the second wiper to affect Ukraine following the recent WhisperGate. DriveSlayer is digitally signed using a valid certificate and also abuses a legitimate EaseUS Partition Master driver to gain raw disk access and manipulate the disk to make the system inoperable.
February 25, 2022SecureWorks: Disruptive HermeticWiper Attacks Targeting Ukrainian OrganizationsSecureworks® Counter Threat Unit™ (CTU) researchers investigated reports of disruptive activity that began targeting organizations in Ukraine. These attacks reportedly caused intermittent loss of access to government websites belonging to the Ukrainian Ministry of Foreign Affairs, Ministry of Defense, Security Service, Ministry of Internal Affairs, and Cabinet of Ministers.
February 24, 2022IBM: IBM Security X-Force Research Advisory: New Destructive Malware Used In Cyber Attacks on Ukraine Symantec Enterprise reported a ransomware dubbed as PartyTicket was deployed alongside the HermeticWiper malware. IBM Security X-Force obtained a sample of the PartyTicket ransomware and has provided technical analysis, indicators of compromise, and detections within the PartyTicket section of this blog.
February 24, 2022Broadcom Software: Ukraine: Disk-wiping Attacks Precede Russian InvasionA new form of disk-wiping malware (Trojan.Killdisk) was used to attack organizations in Ukraine shortly before the launch of the Russian invasion. Symantec, a division of Broadcom Software, has also found evidence of wiper attacks against machines in Lithuania. Sectors targeted included organizations in the financial, defense, aviation, and IT services sectors.
February 24, 2022ESET Research: HermeticWiper: New data wiping malware hits UkraineA number of organizations in Ukraine have been hit by a cyberattack that involved new data-wiping malware dubbed HermeticWiper and impacted hundreds of computers on their networks, ESET Research has found.
February 23, 2022Recorded Future: Second data wiper attack hits Ukraine computer networks Two cybersecurity firms with a strong business presence in Ukraine—ESET and Broadcom’s Symantec—have reported that computer networks in the country have been hit with a new data-wiping attack.
February 23, 2022SentinelOne: HermeticWiper | New Destructive Malware Used In Cyber Attacks on UkraineThis blog includes the technical details of the wiper, dubbed HermeticWiper, and includes IOCs to allow organizations to stay protected from this attack.
February 23, 2022CISA: New Sandworm Malware Cyclops Blink Replaces VPNFilterIn this Advisory, NCSC-UK, CISA, NSA and the FBI report that the malicious cyber actor known as Sandworm or Voodoo Bear is using new malware, referred to as Cyclops Blink. Cyclops Blink appears to be a replacement framework for the VPNFilter malware exposed in 2018, which exploited network devices, primarily small office/home office routers and network-attached storage devices.
February 3, 2022Palo Alto Networks: Russia’s Gamaredon aka Primitive Bear APT Group Actively Targeting UkrainGiven the current geopolitical situation and the specific target focus of Primitive Bear APT group, Palo Alto continues to actively monitor for indicators of their operations. In doing so, they have mapped out three large clusters of their infrastructure used to support different phishing and malware purposes. These clusters link to over 700 malicious domains, 215 IP addresses and over 100 samples of malware.


January 28, 2022
CrowdStrike: Lessons Learned From Successive Use of Offensive Cyber Operations Against Ukraine and What May Be Next This blog evaluates major disruptive events against Ukrainian interests in the past and attempts to forecast likely forms and outcomes of future Russian operations within the region.
January 15, 2022Microsoft: Destructive malware targeting Ukrainian organizationsMicrosoft Threat Intelligence Center (MSTIC) has identified evidence of a destructive malware operation targeting multiple organizations in Ukraine. This malware first appeared on victim systems in Ukraine on January 13, 2022.

 

Malware

This section lists resources on other malware from advanced persistent threat (APT) groups. 

Distributed Denial of Service (DDoS)

DDoS attacks crash websites or online services by flooding sites with too much traffic, overwhelming networks and thus, making them inoperable. Information in the below resources provide more information on known Russian-state sponsored actor DDoS attacks.

Publication DateTitleDescription
March 10, 2022SecurityScorecard: Discovers new botnet, ‘Zhadnost,’ responsible for Ukraine DDoS attacks

SecurityScorecard has identified three separate DDoS attacks which all targeted Ukrainian government and financial websites leading up to and during Russia’s invasion of Ukraine. Details of these DDoS attacks have not yet been publicly identified.
March 7, 2022Zscaler: DanaBot Launches DDoS Attack Against the Ukrainian Ministry of Defense (updated) A threat actor using DanaBot has launched a DDoS attack against the Ukrainian Ministry of Defense’s webmail server. It is unclear whether this is an act of individual hacktivism, state-sponsored, or possibly a false flag operation.

 

Shields Up

Report Activity Related to this Threat

CISA encourages all organizations to urgently report any additional information related to these threats. Users and administrators should flag associated activity, report the activity to CISA (see below) or FBI Cyber Watch (CyWatch), and give the activity the highest priority for enhanced mitigation.

  • 1-888-282-0870 (From outside the United States: +1-703-235-8832)
  • Report@cisa.gov (UNCLASS)

When cyber incidents are reported quickly, CISA and JCDC partners can use this information to render assistance and help prevent other organizations and entities from falling victim to a similar attack.