US says destructive wiper malware targeting Ukraine could ‘spill over’ to other countries

A joint advisory issued by the U.S. Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation has warned that the wiper malware used to attack Ukrainian organizations could affect businesses in the United States.

The alert, released over the weekend, provides information on WhisperGate and HermeticWiper, two destructive malware strains seen in recent attacks against organizations in Ukraine.

WhisperGate is a form of wiper malware that masquerades as ransomware, yet rather than encrypting files, it targets a system master boot record for destruction. The malware, first discovered by the Microsoft Threat Intelligence Center, was used in multiple cyberattacks against Ukrainian targets back in January, including government, nonprofit and technology organizations.

HermeticWiper, another strain of disruptive wiper malware, was used to target Ukrainian organizations shortly before the launch of a Russian invasion. Discovered by ESET, the malware renders computers inoperable. These attacks, which ESET observed targeting hundreds of computers in the region, came just hours after a series of distributed denial-of-service (DDoS) attacks knocked several important websites in the country offline.

The joint advisory warns that while there is no specific threat against U.S. organizations tied to tensions with Russia over Ukraine, businesses should reinforce their defenses and increase their vigilance.

“Destructive malware can present a direct threat to an organization’s daily operations, impacting the availability of critical assets and data,” said CISA and the FBI in the advisory.

“Further disruptive cyberattacks against organizations in Ukraine are likely to occur and may unintentionally spill over to organizations in other countries. Organizations should increase vigilance and evaluate their capabilities encompassing planning, preparation, detection, and response for such an event,” it added.

The U.S. has not formally attributed the wiper attacks to Russia, though the advisory says that threat actors deployed the malware leading up to Russia’s “unprovoked attack against Ukraine.”

CISA and the FBI, which have provided indicators of compromise (IOCs) to help organizations stay protected from destructive wiper malware, urged U.S. businesses to take further measures to protect themselves by enabling multi-factor authentication, deploying antivirus and anti-malware programs, switching on spam filters, updating all software and filtering network traffic.