Cyber Bulletin 001

At Clevyr, for the security of ourselves and others, we actively monitor the state of cyber security both within our own environments and around the world. With the current status quo being of high concern, we’re releasing this bulletin which contains some of our most considerable concerns and suggestions.

As this circumstance evolves, we will continue to update these considerations in new bulletins, and adjust our plans of action accordingly.

The War in Ukraine

Considerations

The war in Ukraine has already seen multiple cyber incidents. Namely, DDoS attacks on Ukrainian government websites by non-state, “patriotic hackers”, HermeticWiper (a data-wiping malware), HermeticWizard (a worm that spreads HermeticWiper across a LAN via SMB), HermeticRansom (a data-extortion ransom written in Go), WhisperGate (another data-wiper), and covert disinformation campaigns by Belarusian hacking group UNC1151. The U.S. Intelligence Community has shown concerns that these cyberattacks have the potential to spill over into other countries, especially those who impose sanctions and assist Ukraine.

• Russia is a well-known threat in the cyber domain that actively exploits government, private, public, and civilian systems.
• Russia has many known APT (Advanced Persistent Threat) groups that are under the direction of the Russian government. These groups are considered to be skilled in offensive cyber attacks and disinformation.
• Fancy Bear (APT 28)
• Cozy Bear (APT 29)
• Sandworm Team (G0034)
• Dragonfly 2.0 (G0074)
• FIN7 (G0046)
• Turla (G0010)
• Others…
• For years now, Russia has demonstrated its ability to manipulate industrial control systems (ICS). In 2015, Russian hacking groups attacked ICS  in Kyiv, Ukraine, and temporarily disabled power to more than a quarter-million residents. In 2016, they launched another similar attack. Months later, Russian malware was found in multiple U.S utility companies.
• FIN7 hacking group recently launched a campaign that used the United States Postal Service and UPS to mail malware-loaded USB sticks to U.S. companies. These packages were disguised as official Coronavirus guidance from the Department of Health and Human Services, as well as other guises.

Ransomware

• NSA, FBI, and cyber security researchers are monitoring known Russian threat actors for potential ransomware attacks. The worry is that the overall cost of war combined with international sanctions will motivate these groups to generate profit and cause disruptions.

• In 2017, the Russian military conducted a faux ransomware attack against Ukraine, which unintentionally spread outside of the intended target and impacted numerous other companies around the world. The total damage of the attack was estimated at upwards of $10 billion.

CISA, in alliance with the FBI, has stated that they have cyber teams in a majority of states that can be on-site “within an hour” to help remediate and investigate ransomware attacks.

Copycat effect

• The U.S. Intelligence Community has shared concerns that other adversaries and APT groups will use the cyberwar in Ukraine to launch attacks while eyes are on Russia and Ukraine. This is a common occurrence in high-profile murder cases where one incident spurs instances of similar attacks. This effect has been shown to be applicable in the cyber domain as well.

Cryptocurrency

• Hacking groups often use ransomware and scams to acquire cryptocurrency to help fund their malicious activities. Not only is ransomware disruptive to an organization’s operation, if payment is made to reinstate an organization’s operation and data, this further fuels the potential for these groups to operate in the future.

Safeguards

Considerations

The Cybersecurity & Infrastructure Security Agency (CISA) recently launched an initiative dubbed SHIELDS UP to help harden organizations. Below are some of their recommendations for a heightened security posture. While these controls may seem trivial or common-sense, now is the time to verify that all of your accounts, systems, and behaviors are using these standards.

Yourself and Your family

• Implement multi-factor authentication on all of your accounts.
• Update the software on all of your devices.
• Think before you click (and before you share).
• Use strong, unique passwords and a password manager (no dictionary words).

Corporate Leaders and CEOs

• Empower Chief Information Security Officers.
• Lower Reporting Thresholds.
• Participate in a Test of Response Plans.
• Focus on Continuity.
• Plan for the Worst.

Closing

Cyber is a team sport

While these types of bulletins and the universal worry of cyber attacks can be daunting, it’s worth noting that we are dealing with zero existing attacks and are in close partnership with industry-leading security companies and organizations. This does not mean we should let our guard down. On the contrary, we should have our SHIELDS UP. If you see something, say something. Cyber is a team sport. We’re all the “security team”. We will all be stronger and more resilient at the end of this.

The operations team monitors and tests our environments every day and will continue to do so long after this situation.

If you have any questions or concerns, please feel free to reach out to the Operations team or our Chief Officers.