Response to Risk of WhisperGate Cyber Attacks as Russia Ukraine Crisis escalates

By: Jordan Mauriello and Matthew Herring

CRITICALSTART has been continuously monitoring the escalating crisis between Russia and Ukraine especially as it relates to WhisperGate. 

To recap, a set of malware dubbed WhisperGate was reported to have been deployed against Ukrainian targets around January 14th. The incident is widely reported to contain three individual components deployed by the same adversary, including a malicious bootloader that corrupts detected local disks, a Discord-based downloader and a file wiper. The activity occurred at approximately the same time multiple websites belonging to the Ukrainian government were defaced.

In response to this series of attacks, we proactively created several detections as we continuously review sophisticated ransomware attacks and cybercrime trends originating from Russia. While there is evidence that some vendors do detect the initial stages of the malware, our internal teams partnered to develop robust detections that account for common APT obfuscation and evasion techniques associated with WhisperGate malware. This allows us to account for unforeseen adversarial responses to the public vendor detections and makes it much more costly and time consuming for an adversary to circumvent security controls. The specific post-exploitation detections that augment the detection capabilities of our supported EDR products are as follows:

• AdvancedRun RunAs Privileged User:
  • Detects on threats leveraging Nirsoft’s AdvancedRun tool to execute a program with non-default settings. Here we are detecting on it running Service Control in the context of the TrustedInstaller group, a Privilege Escalation technique (MITRE T1588.002).
• Disabling Microsoft Defender with Directory Deletion:
  • Detects on threats using elevated privileges to recursively delete Microsoft Defender’s directories, resulting in disabling the prepackaged Windows Antivirus (MITRE T1562.001).
• Potential WhisperGate Execution Artifacts
  • Detects atomic indicators of compromise for the current variation of the WhisperGate wiper malware

Additionally, CRITICALSTART has conducted threat hunts through all customer environments with the known indicators of compromise associated with WhisperGate. If any findings are discovered, the relevant customers will be notified.

The Cybersecurity and Infrastructure Security Agency (CISA) released an Insight, Preparing for and Mitigating Foreign Influence Operations Targeting Critical Infrastructure, which provides critical infrastructure owners and operators with guidance on how to identify and mitigate the risks of influence operations that use mis-, dis-, and malinformation (MDM) narratives. 

CRITICALSTART supports all recommendations made by CISA and understands that extra protectionary measures are of the utmost importance to help mitigate the threats at this time. We want to stress that we are here to help and are committed to continued vigilance of all threat actor activity and want to ensure our customers fully understand our recommended mitigation steps.

• Verify all critical systems have backups in a secure location. Any data not backed up will be irretrievably lost if WhisperGate executes.
• Validate remote access activity and require all accounts authenticate using multi-factor authentication
• Ensure all software is up to date
• Disable all non-essential ports and protocols
• Ensure all appropriate security controls have been implemented in cloud environments
• If you are a Critical Start customer, contact your Customer Success Manager as updates to your major incident response plan are made
• Audit user account access, roles, and rights; especially for high value admins, systems, and executives

To read our previous blog on the cyber impact of the Russia-Ukraine Crisis, click here.