Shields Up Technical Guidance

Shields Up Actions for ICS and OT
(click on links for advisories providing in-depth mitigations)
• Change all default passwords.
• Enforce MFA.
• Strengthen security for connected IT-to-OT networks.
• Identify a resilience plan.

Immediate Shields Up Actions
• Remediate vulnerabilities.
• Enforce MFA.
• Run antivirus. 
• Enable strong spam filters to prevent phishing emails from reaching end users.
• Disable ports and protocols that are not essential.
• Strengthen controls for cloud services.

Note: CISA will continue to update this webpage as we have further guidance to impart and additional reporting to share. Information contained on this webpage is provided “as-is” for informational purposes only. CISA does not endorse any company, product, or service referenced below.

Russia’s invasion of Ukraine, which has involved cyberattacks on Ukrainian government and critical infrastructure organizations, may impact entities both within and beyond the region. CISA and its Joint Cyber Defense Collaborative (JCDC) partners are responding to ongoing, disruptive cyber activities in connection with Russia's attack by documenting information on Russian threat actors, ransomware, destructive malware, distributed denial of service (DDoS) attacks, and Shields Up protective measures. A collection of technical resources is provided below for users and organizations to reference to stay up to date on the latest cyber threat activity in Ukraine. 

In addition to reviewing the activities, see CISA's Shields Up webpage for steps to reduce future risk against these threats in the U.S. homeland. 

Russian Threat Actors

Historically, Russian state-sponsored cyber actors have used common but effective tactics to gain access to target networks, including spearphishing, credential harvesting, brute force/password spray techniques, and known vulnerability exploitation against accounts and networks with weak security. Russia’s unprovoked attack on Ukraine, which has involved cyber-attacks on Ukrainian organizations, have enabled cyber actors to acquire sensitive data and disrupt daily operations. The resources listed below provide overviews of the Russian cyber landscape and recommendations on how other organizations and entities can prevent similar attacks. 

Publication Date Title Description
April 27, 2022 Microsoft: The hybrid war in Ukraine  Microsoft has released a blog detailing destructive Russian cyberattacks observed in a hybrid war against Ukraine.
March 7, 2022 Google: The hybrid war in Ukraine  Google’s Threat Analysis Group (TAG) has observed activity, ranging from espionage to phishing campaigns, from a host of Russian threat actors.
February 28, 2022  Microsoft: Cyber threat activity in Ukraine: analysis and resources (updated)  Microsoft has monitored escalating cyber activity in Ukraine to give organizations intelligence on potential attacks and information to implement proactive protections against future attempts.
February 4, 2022 Microsoft: ACTINIUM targets Ukrainian organizations  The Microsoft Threat Intelligence Center (MSTIC) shares information on a threat group named ACTINIUM, which has been operational for almost a decade and has pursued access to organizations in Ukraine or entities related to Ukrainian affairs.
January 20, 2022 Palo Alto Networks: Threat Brief: Ongoing Russia and Ukraine Cyber Conflict  Beginning on Jan. 14, reports emerged about a series of Russian cyber-attacks targeting numerous Ukrainian government websites. As a result of these attacks, numerous sites were found to be either defaced or inaccessible. 
January 11, 2022 CISA: Understanding and Mitigating Russian State-Sponsored Cyber Threats to U.S. Critical Infrastructure  This joint FBI, and NSA Cybersecurity Advisory warns organizations of Russian-state sponsored cyber threats and provides an overview of Russian cyber operations; commonly observed tactics, techniques, and procedures (TTPs); detection actions; incident response guidance; and mitigations. 

 

Ransomware

CISA and JCDC partners have observed the increased use of ransomware in cyber-attacks on U.S. and international organizations. The subsequent resources contain technical details, indicators of compromise (IOCs), and/or recommended mitigations to combat Russian ransomware threats. 

Publication Date Title Description
March 1, 2022 CrowdStrike: Decryptable PartyTicket Ransomware Reportedly Targeting Ukrainian Entities  Destructive attacks were conducted against Ukrainian entities. Industry reporting has claimed the Go-based ransomware dubbed PartyTicket (or HermeticRansom) was identified at several organizations affected by the attack. 
February 28, 2022  CISA: Conti Ransomware CISA, FBI, and United States Secret Service  have observed the increased use of Conti ransomware in more than 400 attacks on U.S. and international organizations. In typical Conti ransomware attacks, malicious cyber actors steal files, encrypt servers and workstations, and demand a ransom payment. 

 

Destructive Malware

The resources below detail destructive malware used to destroy an organization’s critical assets and data. These highlighted publications include descriptions of Russian malicious cyber activity, technical details, and recommended mitigations.

Publication Date Title Description
March 1, 2022 ESET Research: IsaacWiper and HermeticWizard: New wiper and worm targeting Ukraine  As the recent hostilities started between Russia and Ukraine, ESET researchers discovered several malware families targeting Ukrainian organizations. These destructive attacks leveraged at least three components: HermeticWiper,
HermeticWizard, and HermeticRansom.
February 25, 2022 CrowdStrike: CrowdStrike Falcon Protects from New Wiper Malware Used in Ukraine Cyberattacks CrowdStrike Intelligence discovered new destructive malware known as DriveSlayer, and it’s the second wiper to affect Ukraine following the recent WhisperGate. DriveSlayer is digitally signed using a valid certificate and also abuses a legitimate EaseUS Partition Master driver to gain raw disk access and manipulate the disk to make the system inoperable.
February 25, 2022 SecureWorks: Disruptive HermeticWiper Attacks Targeting Ukrainian Organizations Secureworks® Counter Threat Unit™ (CTU) researchers investigated reports of disruptive activity that began targeting organizations in Ukraine. These attacks reportedly caused intermittent loss of access to government websites belonging to the Ukrainian Ministry of Foreign Affairs, Ministry of Defense, Security Service, Ministry of Internal Affairs, and Cabinet of Ministers.
February 24, 2022 IBM: IBM Security X-Force Research Advisory: New Destructive Malware Used In Cyber Attacks on Ukraine  Symantec Enterprise reported a ransomware dubbed as PartyTicket was deployed alongside the HermeticWiper malware. IBM Security X-Force obtained a sample of the PartyTicket ransomware and has provided technical analysis, indicators of compromise, and detections within the PartyTicket section of this blog.
February 24, 2022 Broadcom Software: Ukraine: Disk-wiping Attacks Precede Russian Invasion A new form of disk-wiping malware (Trojan.Killdisk) was used to attack organizations in Ukraine shortly before the launch of the Russian invasion. Symantec, a division of Broadcom Software, has also found evidence of wiper attacks against machines in Lithuania. Sectors targeted included organizations in the financial, defense, aviation, and IT services sectors.
February 24, 2022 ESET Research: HermeticWiper: New data wiping malware hits Ukraine A number of organizations in Ukraine have been hit by a cyberattack that involved new data-wiping malware dubbed HermeticWiper and impacted hundreds of computers on their networks, ESET Research has found.
February 23, 2022 Recorded Future: Second data wiper attack hits Ukraine computer networks  Two cybersecurity firms with a strong business presence in Ukraine—ESET and Broadcom’s Symantec—have reported that computer networks in the country have been hit with a new data-wiping attack.
February 23, 2022 SentinelOne: HermeticWiper | New Destructive Malware Used In Cyber Attacks on Ukraine This blog includes the technical details of the wiper, dubbed HermeticWiper, and includes IOCs to allow organizations to stay protected from this attack.
February 23, 2022 CISA: New Sandworm Malware Cyclops Blink Replaces VPNFilter In this Advisory, NCSC-UK, CISA, NSA and the FBI report that the malicious cyber actor known as Sandworm or Voodoo Bear is using new malware, referred to as Cyclops Blink. Cyclops Blink appears to be a replacement framework for the VPNFilter malware exposed in 2018, which exploited network devices, primarily small office/home office routers and network-attached storage devices.
February 3, 2022 Palo Alto Networks: Russia’s Gamaredon aka Primitive Bear APT Group Actively Targeting Ukrain Given the current geopolitical situation and the specific target focus of Primitive Bear APT group, Palo Alto continues to actively monitor for indicators of their operations. In doing so, they have mapped out three large clusters of their infrastructure used to support different phishing and malware purposes. These clusters link to over 700 malicious domains, 215 IP addresses and over 100 samples of malware.

January 28, 2022
CrowdStrike: Lessons Learned From Successive Use of Offensive Cyber Operations Against Ukraine and What May Be Next  This blog evaluates major disruptive events against Ukrainian interests in the past and attempts to forecast likely forms and outcomes of future Russian operations within the region.
January 15, 2022 Microsoft: Destructive malware targeting Ukrainian organizations Microsoft Threat Intelligence Center (MSTIC) has identified evidence of a destructive malware operation targeting multiple organizations in Ukraine. This malware first appeared on victim systems in Ukraine on January 13, 2022.

 

Malware

This section lists resources on other malware from advanced persistent threat (APT) groups. 

Distributed Denial of Service (DDoS)

DDoS attacks crash websites or online services by flooding sites with too much traffic, overwhelming networks and thus, making them inoperable. Information in the below resources provide more information on known Russian-state sponsored actor DDoS attacks.

Publication Date Title Description
March 10, 2022 SecurityScorecard: Discovers new botnet, ‘Zhadnost,’ responsible for Ukraine DDoS attacks
SecurityScorecard has identified three separate DDoS attacks which all targeted Ukrainian government and financial websites leading up to and during Russia’s invasion of Ukraine. Details of these DDoS attacks have not yet been publicly identified.
March 7, 2022 Zscaler: DanaBot Launches DDoS Attack Against the Ukrainian Ministry of Defense (updated)  A threat actor using DanaBot has launched a DDoS attack against the Ukrainian Ministry of Defense’s webmail server. It is unclear whether this is an act of individual hacktivism, state-sponsored, or possibly a false flag operation.

 

Shields Up

Organizations should be prepared to respond to disruptive cyber activity. As the nation’s cyber defense agency, CISA stands ready to help organizations prepare for, respond to, and mitigate the impact of cyber-attacks. We encourage everyone to put their Shields Up and take proactive steps to protect against active threats. 

Report Activity Related to this Threat

CISA encourages all organizations to urgently report any additional information related to these threats. Users and administrators should flag associated activity, report the activity to CISA (see below) or FBI Cyber Watch (CyWatch), and give the activity the highest priority for enhanced mitigation.

  • 1-888-282-0870 (From outside the United States: +1-703-235-8832)
  • Report@cisa.gov (UNCLASS)

When cyber incidents are reported quickly, CISA  and JCDC partners can use this information to render assistance and help prevent other organizations and entities from falling victim to a similar attack.