Feds Warn Health Sector of Russia-Ukraine Conflict ThreatsHHS HC3: Beware of 3 Main Threat Groups, 2 Wiper Malware Variants
Federal authorities are warning that while they are unware of specific cyberthreats to the U.S. healthcare and public health sector related to Russia's attack on Ukraine, entities in those sectors should stay proactive and vigilant to at least three main potential threat groups and two wiper malware variants.
The Department of Health and Human Service's Health Sector Cybersecurity Coordination Center, in an analyst report issued Tuesday, says the three potential threat groups to the healthcare and public health sector related to the Russia-Ukraine conflict include organizations that are part of the Russian government, cybercriminal groups based in Russia and neighboring states, and organizations that are part of the Belarusian government.
"This is not to say that other threat actors can or will not get involved, but these three groups are the primary focus at this time," HHS HC3 writes.
Main Threat Groups
Threat actors that are part of the Russian government are suspected to be behind an assortment of past cyberattacks, HC3 writes.
Those include attacks on Estonian government, media and financial targets in 2007; Georgian government sites in 2008; Kyrgyzstan internet service providers in 2009; Ukrainian government, military and critical infrastructure attacks in 2014; and attacks on Ukraine, as well as many other countries with NotPetya in 2017, HHS HC3 says.
Conti is known to conduct managed service provider compromise, big game hunting targeting of large organizations, multistage attacks that leverage other malware variants as part of the attack, and double- and triple-extortion attacks involving data theft combined with the ransomware, HHS says.
Finally, the Belarus government, an ally of Russia, has also demonstrated cyber capabilities, HC3 writes. That includes a group known as UNC1151, which is suspected of being part of the Belarusian military, it says. "UNC1151 have been reportedly attempting to compromise the email accounts of Ukrainian soldiers with a phishing campaign."
HC3 also warns that two malware variants - both wipers - have been observed in significant use against Ukraine in the past two months: HermeticWiper and WhisperGate (see: Feds Advise Shields Up as Russian Cyberattack Defense).
HermeticWiper is a new form of disk wiping that was used to attack organizations in Ukraine shortly before the launch of the Russian invasion on Feb. 24, HC3 says. "There are a number of variants in the wild and therefore all of the details included in this report may not apply to all variants. We have included a number of industry reports at the end of this section as well as in the references section at the end of this report to allow analysts to dig deeper and better understand individual variants."
WhisperGate is also a new form of disk wiping malware that is believed to operate in three stages or parts, HC3 writes. That includes a bootloader that corrupts detected local disks, a Discord-based downloader and a file wiper.
"The WhisperGate bootloader complements its file-wiper counterpart. Both irrevocably corrupt the victim’s data and attempt to disguise themselves as ransomware operations," HC3 writes.
Like HermeticWiper, WhisperGate has been observed attacking organizations in Ukraine shortly before the launch of the Russian invasion. There are also a number of variants in the wild, HC3 says.
HHS HC3 recommends organizations review CISA’s guidance on the wiper variants.