Threat groups with Russian ties, malware used in Ukraine prompts alert for US health sector

Entities in the healthcare and public health sectors should be vigilant in monitoring for and proactively working to prevent falling victim to wiper malware and attacks from threat groups with ties to Russia, in light of the unprovoked attack on Ukraine, according to an alert from The Department of Health and Human Services Cybersecurity Coordination Center.

The alert joins an earlier American Hospital Association advisory that details the recommended remediation efforts provider entities should employ to proactively bolster their cyber posture in light of the heightened threat to infrastructure organizations.

The ongoing conflict has “spilled into cyberspace,” with allies on both sides working to thwart cyber capabilities of the other groups. The newest alert shines a light of the specific tactics and malware-based threats that could potentially impact healthcare delivery organizations.

At the moment, HC3 is unaware of any specific threat to the healthcare sector, but two malware variants are expected to be “utilized in any collateral attacks, which may impact the U.S. healthcare and public health sector in this campaign.”

The alert also details three threat groups that could potentially impact these sectors, which include Russian government agencies, Russian-based cybercriminal groups, and other entities that aren’t part of the government.

“This is not to say that other threat actors can or will not get involved, but these three groups are the primary focus at this time,” according to the alert. “It is very possible that other cybercriminal groups have or will join the conflict, and will bring with them their custom tools, tactics, techniques, and weapons.”

Alert highlights Conti threat group, malware observed in Ukraine

Russia is well known for its cyber capabilities that target “critical infrastructure in furtherance of their geopolitical goals.” In particular, the 2017 NotPetya incident launched against Ukraine had a rippling effect across the globe, including at least 10 entities tied to the U.S. healthcare sector.

Specifically, healthcare entities should familiarize themselves with the tactics used by Conti, which has notoriously targeted the healthcare sector, even amid the ongoing pandemic crisis. Conti is known to exploit Managed Service Providers (MSPs), while employing big game hunting, multi-stage attacks, and extortion efforts combined with ransomware attacks.

Providers should also review insights on two wiper malware variants currently in “significant use” against Ukraine: HermeticWiper and WhisperGate.

HermeticWiper is a new form of disk-wiping malware with at least one version identified with the filename Trojan.Killdisk, used to attack Ukraine organizations just before the Russian invasion. The malware is deployed with an executable file, signed with a certificate issued to “Hermetica Digital Ltd” and contains 32-bit and 64-bit driver files compressed by the Lempel-Ziv algorithm.

“The malware will drop the corresponding file according to the operating system version of the infected system,” the alert notes. Once deployed, “the wiper will damage the Master Boot Record (MBR) of the infected computer, rendering it inoperable.”

The wiper targets Windows devices and manipulates the boot record in such a way that causes failure. It also adjusts its process token privileges, while giving the malware read-access control to any file in the access control list. Outside of its destructive capabilities, the HermeticWiper appears to not have any further capabilities.

The second wiper malware variant of note, WhisperGate, is a new form of disk-wiping malware believed to operate in three parts: a file wiper, a bootloader that corrupts local disks, and a Discord-based downloader. The bootload complements its file-wiper counterpart, which work in tandem to “irrevocably corrupt the victim’s data and attempt to disguise themselves as ransomware operations.”

Security researchers have identified a number of variants of both HermeticWiper and WhisperGate in the wild, for which HC3 included a list of resources provider organizations should review to best understand the threat and impacts. These resources include recommended defense, mitigation, and remediation measures and indicators of compromise.

Further, HC3 stressed that these are just two possible malware variants with potential healthcare impacts. Given Russia’s high capabilities, providers should review federal insights on Russian-backed threats and tactics.