HermeticWiper, Cyclops Blink, BlackEnergy, and Petya: The Russian Cyberattacks Launched to Disrupt Your Business

Tuesday 1 March 2022, Amsterdam

Russia launched a full-scale invasion of Ukraine. As a consequence, the U.S. and its NATO allies imposed economic sanctions against Russia. The Russian Foreign Affairs Ministry responded with threats to the U.S. asserting there will be a “strong response” from Russia as a result of the sanctions. Countries enforcing restrictions may suffer the backlash of cybersecurity attacks from Russia, similar to ones seen in the past.

Following the Ukraine invasion, the U.S. Department of Homeland Security (DHS) and the Cybersecurity and Infrastructure Security Agency (CISA) quickly alerted organizations to prepare for a cyberattack by reinforcing their cybersecurity posture. In the recommendation, CISA warns that “The Russian government understands that disabling or destroying critical infrastructure…can augment pressure on a country’s government, military, and population.”

The Department of Energy (DOE) also released a warning to the energy sector to proactively prepare for the “highest possible level” of Russian cyberattacks. In the last two days, we have seen new malware linked to Russian-backed Advanced Persistent Threat (APT) groups; one already known to have led previous attacks on the energy and finance sectors.

Researchers first found Russian-linked malware labeled “HermeticWiper” targeting Ukraine and two NATO countries, Latvia and Lithuania. The malware discovered has been used to wipe hundreds of computers in Ukraine. Ukraine has also sustained numerous DDoS attacks to their government and banking websites during the invasion.

SparkCognition’s DeepArmor AI-powered endpoint protection has proven to detect and block the known samples of HermeticWiper. Our endpoint protection neutralized the new wiper malware based on current in production agents with prior trained machine learning models. Our patented protection detects and protects against malware—providing the security of protecting against known and unknown attacks.

The CISA, National Security Agency (NSA), and Federal Bureau of Investigation (FBI), in conjunction with the UK National Cyber Security Center (NCSC), released an alert of a new malware used by threat actors linking back to the Russian Intelligence Centre for Special Technologies (GTsST). The group known as Sandworm is connected to previous BlackEnergy and Petya attacks. The new malware dubbed “Cyclops Blink” has been active since 2019. Cyclops Blink acts as a beacon for the command and control server, where it can download and install new malware or additional capabilities and prepare for future attacks. The Sandworm group is active once again and possibly looking to perform new attacks on critical infrastructure.

The same Russian-linked Sandworm group previously used BlackEnergy malware to attack  Ukraine and U.S. energy and finance systems, compromise organizations, and collect information from Industrial Control Systems (ICS). The Sandworm group is also linked to Petya, is a self-propagating worm used to infect networks, steal credentials, encrypt files, and move to different systems malware. It has also been used in the past to attack critical infrastructure in the energy and finance sectors.

Source: Sparkcognition ( original url )

 back to News