Nixu Threat Intelligence Bulletin #5: Russia's War in Ukraine

Nixu Threat Intelligence Team

Threat Intelligence Team

March 15, 2022 at 17:31

Moscow’s hope of a blitzkrieg campaign has turned into a protracted war.

China´s Shadow

US Intelligence has thus far been accurate about the events that led up to the war and the American Government has made a concerted effort to publicly call out Russian activities. The latest warning from Washington now concerns China.

When the Russian invasion stalled, Moscow asked China to support its war effort. To date, China has remained largely non-committal to either side, urging vaguely for restraint. US Intelligence, however, now believes that China is considering whether to support Russia. In response, the US has firmly stated that China’s support would not be left unanswered.

Nixu Threat Intelligence are unable to assign an assessment grade to the likelihood of whether China will join the conflict or in what form – most likely in the provision of supplies and materials – but overt Chinese support for Russia in the war would directly or indirectly bring in another great player from the cyber threat landscape. China is home to a number of infamous threat actor groups including APT41, Hafnium (responsible for the 2021 Microsoft Exchange Server data breach), and PLA Unit 61398 which is a Chinese military unit.

Chinese involvement in the war at any level could increase the likelihood of that nation’s threat actors and cybercriminals playing a more direct role in the conflict and could bring retaliatory consequences by US CYBERCOM or other western cyber units.

Our recommendations are largely unchanged, but this development serves as another reminder of the complexity of the situation and that all cyber defences and practices should continue to be on their best behaviour even as the war becomes part of the regular news cycle. With every new player that enters the arena, the threat of cyber spillover increases.

Malware

Another data wiper malware has been discovered at work in Ukraine. Uncovered by ESET cybersecurity researchers and dubbed CaddyWiper, the malware was first found at the beginning of this week in several systems belonging to Ukrainian organizations.

The malware differs from those two wipers (HermeticWiper and IsaacWiper) previously uncovered and, according to ESET, the new strain bears no major code similarities to either. Much like the other two, however, the purpose seems to be the same: to “destroy user data and partition information from attached drives.”

Recommendations

  • Ensure your cybersecurity defences are up to date and adequately staffed.
  • Utilize Windows Defender Application Control or similar application controls to limit the activity of potential malicious applications on endpoints
  • Review your business continuity plans to align them to the changes the war is having on different regions.
  • Harden all systems to proactively protect against potential threats. (ex. MFA, Privileged Access Management, Review all authentication activity for remote access infrastructure, and isolate legacy systems)
  • More tips from Microsoft at https://msrc-blog.microsoft.com/2022/02/28/analysis-resources-cyber-threat-activity-ukraine/#updated-malware-details

Related blogs