Skip links

Sniff those Ukrainian emails a little more carefully, advises Uncle Sam in wake of Belarusian digital vandalism

US companies should be on the lookout for security nasties from Ukrainian partners following the digital graffiti and malware attack launched against Ukraine by Belarus, the CISA has warned.

In a statement issued on Tuesday, the Cybersecurity and Infrastructure Security Agency said it “strongly urges leaders and network defenders to be on alert for malicious cyber activity,” having issued a checklist [PDF] of recommended actions to take.

“If working with Ukrainian organizations, take extra care to monitor, inspect, and isolate traffic from those organizations; closely review access controls for that traffic,” added CISA, which also advised reviewing backups and disaster recovery drills.

On Monday Ukraine attributed a headline-grabbing mass defacement of government websites to Belarus, the attacks having taken place late last week.

The CISA warning came after Microsoft published details of wiper ransomware deployed by a hitherto unknown criminal crew, later named as UNC1151 (aka Ghostwriter). Made to look like the most common threat facing businesses today, the malware merely deleted Windows boot records and encrypted files with common extensions such as .docx and .pdf; sending the equivalent of $10,000 in fake internet money to the address in the malware’s ransom note wouldn’t result in a helpful extortionist telling you how to recover your files.

Threat intel firm Prevailion published research into UNC1151 last year, speculating in September that it was “likely a state-backed threat actor,” explaining: “Their operations typically display messaging in general alignment with the security interests of the Russian Federation; their hallmarks include anti-NATO messaging, intimate knowledge of regional culture and politics, and strategic influence operations (such as hack-and-leak operations used in conjunction with fabricated messaging and/or forged documents).”

Among other things Prevailion found were attempts by the Belarusians to target the French Defence Information and Communication Delegation” along with Polish government figures, “European iCloud users”, Polish and Ukrainian B2C web services providers and social media platforms.

The CISA warning is a reminder that bears repeating; NotPetya began in Ukraine and swept around the world, causing headaches for IT departments that lasted for weeks afterwards. With Russia and its Belarusian proxy carrying out a cold war against Ukraine through cyber means, there’s a heightened risk of contagion if a NotPetya-style worm gets out.

In years gone by smaller countries were said to cough when America caught a cold; today it’s your networks getting infected if Ukraine catches a virus. ®