CISA and the FBI have updated joint Cybersecurity Advisory AA22-057A: Destructive Malware Targeting Organizations in Ukraine, originally released February 26, 2022. The advisory has been updated to include additional indicators of compromise for WhisperGate and Malware Analysis Reports (MARs) containing technical details for HermeticWiper, IsaacWiper, HermeticWizard, and CaddyWiper destructive malware.

• Refer to Table 3 in the Appendix of AA22-057A for hashes of malicious binaries, droppers, and macros linked to WhisperGate.
• Refer to MAR-10375867.r1.v1 for technical details on HermeticWiper. 
• Refer to MAR-10376640.r1.v1 for technical details on IsaacWiper and HermeticWizard.
• Refer to MAR-10376640.r2.v1 for technical details on CaddyWiper.

February 26, 2022

Today the Cybersecurity and Infrastructure Security Agency (CISA) and the FBI issued a joint advisory that gives a high-level summary of the destructive malware being used, including both WhisperGate and HermeticWiper, against organizations in Ukraine to destroy computer systems and render them inoperable. It also includes open-source indicators of compromise (IOCs) for organizations to detect and prevent the malware from impacting their networks.

Access the advisory at CISA.

Now that Russia has actually invaded Ukraine, WaterISAC has been on high alert for unusual cyber activity. At this time, no incidents have been reported in the U.S., but Russia is being blamed for destructive attacks against Ukraine banks and government departments. WaterISAC recommends members review the advisory and take the appropriate actions to prevent and mitigate attacks that may occur against their networks.

Immediate Action to Strengthen Cyber Posture
As CISA noted when releasing its latest advisory, destructive malware can present a direct threat to an organization’s daily operations, impacting the availability of critical assets and data. Some immediate actions that can be taken to strengthen cyber posture include:

• Require multifactor authentication;
• Set antivirus and antimalware programs to conduct regular scans;
• Enable strong spam filters to prevent phishing emails from reaching end users;
• Update software; and
• Filter network traffic.

Also, CISA recently updated its “Shields Up” webpage, which now includes new services and resources, recommendations for corporate leader and chief executive officers, and actions to protect critical assets. Additionally, CISA has created a new Shields Up Technical Guidance webpage that details other malicious cyber activity affecting Ukraine. The webpage includes technical resources from partners to assist organizations against these threats.

Prior WaterISAC and Partner Webinars and Advisories

• Mandiant-WaterISAC Webinar: Critical Infrastructure Threats from Current Geopolitical Tensions
• EPA-WaterISAC Webinar: Cybersecurity Recommendations in Consideration of Russian State-Sponsored Cyber Operations Against U.S. Critical Infrastructure
• As Russian Advances into Ukraine, APT Cyber Activities
  Could also Advance
• U.S. EPA WaterISAC Advisory on Potential Threat to Critical
  Infrastructure
• (TLP:AMBER) U.S. EPA-WaterISAC Advisory on Recommendations in Consideration of Russian Cyber Operations
• (TLP:WHITE) Joint Cybersecurity Advisory (AA22-011A) Issued to U.S. Critical Infrastructure for Understanding and Mitigating Russian State-Sponsored Cyber Threats

Additional Resources

• Understanding and Mitigating Russian State-Sponsored Cyber Threats to U.S. Critical Infrastructure (AA22-011A)
• Russia Cyber Threat Overview and Advisories
• Protecting Against Malicious Cyber Activity before the Holidays (White House; 12/16/21)
• Joint Cybersecurity Advisory Ongoing Cyber Threats to U.S. Water and Wastewater Systems (CISA, FBI, NSA, EPA; 10/14/21)
• WaterISAC’s 15 Cybersecurity Fundamentals for Water and Wastewater Utilities
• EPA Cybersecurity Best Practices for the Water Sector
• AWWA Resources on Cybersecurity
• Proactive Preparation and Hardening to Protect Against Destructive Attacks (Mandiant)
• Actions to take when the cyber threat is heightened (NCSC)

Incident Reporting
WaterISAC encourages all utilities that have experienced malicious or suspicious activity to email [email protected], call 866-H2O-ISAC, or use the confidential online incident reporting form. Reporting to WaterISAC helps utilities and stakeholders stay aware of the threat environment of the sector. Additionally, to report incidents or suspicious activity to the FBI, contact your local field office at www.fbi.gov/contact-us/field-offices or the 24/7 Cyber Watch (CyWatch) at (855) 292-3937 or [email protected]. You can also report activity to CISA, via its online tools or at (888)282-0870 or [email protected].