Destructive “Wiper” malware is at the intersection of multiple nation-state threats the department’s Cybersecurity and Infrastructure Security Agency is monitoring.
The Department of Homeland Security has pulled together officials from across all levels of government and the private sector to manage any stateside fallout from Russia’s invasion of Ukraine.
“The President has designated DHS the lead federal agency to coordinate domestic preparedness and response efforts related to the current Russia-Ukraine crisis, reads a press release the department issued Friday. “DHS has established a Unified Coordination Group to ensure unity of effort across the federal government in preparing for and responding to possible threats to the homeland; develop and pursue strategic objectives and priorities; and coordinate with federal, state, local, tribal and territorial officials, as well as representatives of the private sector and nongovernmental entities in support of these objectives and priorities.”
The DHS release reiterated there are currently no specific threats to the homeland resulting from the conflict, but pointed to a “Shields Up” alert the Cybersecurity and Infrastructure Security Agency published Feb. 12 and has been regularly updating.
“We are mindful of the potential for Russia’s destabilizing actions to impact organizations both within and beyond the region, particularly in the wake of sanctions imposed by the United States and our Allies,” the alert read Friday, noting “continued denial of service and destructive malware attacks affecting Ukraine and other countries in the region.”
The Biden administration leveled sanctions on Russian entities Thursday after previously attributing DDoS cyberattacks against Ukraine banks—in record time—to Russia’s Main Intelligence Directorate, or GRU.
Friday’s DHS designation comes after another round of cyberattacks, including ones using HermeticWiper malware, hit Ukraine Wednesday. CISA didn’t note any attribution for the most recent attacks, but the shields-up alert “urges cybersecurity/IT personnel at every organization to review Understanding and Mitigating Russian State-Sponsored Cyber Threats to U.S. Critical Infrastructure.” That document details practices Russian threat actors have used—including through SolarWinds and Microsoft’s Active Directory—to conduct reconnaissance and gain initial access at key US organizations, including DHS and several other federal agencies.
CISA also recommends organizations visit StopRansomware.gov, an inter-departmental webpage for ransomware resources and alerts. But amid heightened awareness of the Russian threat, the agency is also drawing attention to increased activity from Iran.
A group known as Muddywater, which is associated with Iran’s Ministry of Intelligence and Security, is “positioned both to provide stolen data and accesses to the Iranian government and to share these with other malicious cyber actors,” reads an advisory CISA issued Wednesday along with partnering cybersecurity agencies at home and abroad.
The advisory and private-sector cybersecurity providers suggest the Iranian actor is harvesting intelligence at an opportune moment. But Iran is a prominent purveyor of wiper malware and has a significant history of working with Russia on cybersecurity and longer term strategies around information and communication technology in general.
Iran’s collaboration with Russia is specifically noteworthy in relation to the development and deployment of “wiper” malware. The term refers to code that either removes a victim’s data from its systems or otherwise renders it useless. In 2017, the NotPetya attack—which was initially deployed against Ukraine’s electric grid and subsequently spilled over to the rest of the globe—famously encrypted data, disguising itself as ransomware.