CISA, FBI warn on cyber threats targeting Ukraine
"Wiper" malware aimed at Ukraine government and critical infrastructure systems could bleed over into the U.S., law enforcement warns.
U.S. federal law enforcement warned on Saturday that destructive "wiper" malware aimed at Ukraine government and critical infrastructure systems by Russia could spill over into other countries and pose risks to the United States.
In an Feb. 26 alert, the FBI and the Cybersecurity and Infrastructure Security Agency shared details on the destructive malware being observed in Ukraine, noting that the campaign targets Windows-based networks, and is designed to render systems inoperable by compromising the master boot record, potentially leading to the destruction or unavailability of system data.
The malware has the potential to propagate outside of the systems targeted by Russia through emails and messaging platforms as well as via the kind of management systems targeted in the Solar Winds breach. The alert noted that antivirus software, help desk remote assistance tools, patch management and asset management systems and other applications that typically operate across multiple networks with high degrees of privilege could be attack vectors for wiper malware.
The prospect of weaponized malware spilling over from Ukraine into NATO countries has the potential to expand the scope of the conflict – something Sen. Mark Warner (D-Va.), the chairman of the Senate Select Intelligence Committee warned about in a Feb. 24 interview with Axios.
"If you unleash not one but five, or 10, or 50 or 1,000 at Ukraine, the chances of that staying within the Ukrainian geographic border is quite small," Warner said. "It could spread to America, spread to the U.K., but the more likely effect will be spreading to adjacent geographic territory."
Warner suggested that neighboring Poland – a NATO signatory nation – could be hit with spillover from Russian cyberattacks on Ukraine. He noted that it's not clear if that would trigger NATO mutual defense treaty obligations.
NATO has affirmed in the past that cyberattacks could trigger the Article 5 mutual defense obligations of the NATO agreement, but it's not clear whether spillover events would qualify, and NATO's leadership isn't showing its cards.
"When it comes to cyber attacks and the risk for incidents and accidents, for instance, in the Black Sea, we are pursuing mechanisms of deconfliction to prevent that from happening," NATO Secretary-General Jens Stoltenberg said on Friday.
"On cyber, well we have stated that cyber attacks can trigger Article 5. But we have never gone into the position where we give a potential adversary the privilege of defining exactly when we trigger Article 5," Stoltenberg said.
The FBI/CISA alert includes planning strategies to avoid getting hit and mitigation strategies to recover if a network is disabled by destructive malware.