CyberCube warns of Russian wiper malware that could lead to NotPetya-type losses

The war in Ukraine and growing geopolitical tensions are providing fertile ground for both nation states and criminals to launch cyberattacks, raising the risk of a contagious malware attack similar to NotPetya, warns CyberCube.

The NotPetya attack, carried out by Russia against Ukraine in 2017, caused widespread disruption to corporates including Maersk, Merk and Mondelez. The attack is estimated to have resulted in costs of $10bn.

In the past few months, Russia has been targeting governments and organisations outside of Ukraine with cyberattacks to gather intelligence that supports its war efforts. Since the start of the war, Microsoft has detected Russian network intrusion efforts on 128 targets in 42 countries outside of Ukraine.

Russia’s use of wiper malware, which is intended to destroy data or hardware, is a particularly big risk. Wiper malware is typically self-replicating and hard to control, and therefore can spread like a virus, just like NotPetya in 2017, according to William Altman, principal cybersecurity consultant at CyberCube, which provides cyber threat intelligence and analytics.

“In the past six months, we have seen the normalisation of wiper malware and the targeting of critical infrastructure at a level never seen before. Ransomware gangs loyal to Russia are going to continue to hit enterprises while state actors continue to focus on governments in the immediate vicinity of the conflict,” said Altman.

“This is an indication that in Ukraine, the boundaries of acceptable behaviour in cyberspace are being pushed beyond historical norms, and that wiper malware has been normalised in war. It is only a matter of time before these sophisticated wiper malware tool kits trickle down from military and intelligence agencies to the dark web for novice hackers to use,” he added.

Altman is particularly concerned about the systemic risks of a contagious malware attack linked to the war in Ukraine. “The downing of a large-scale cloud provider is still a huge aggregation risk… but when I think about what is more likely today, it is that wiper malware scenario. It’s destructive malware that targets operating systems globally and gets out of control, and we [could] start to see a NotPetya-type of attack again,” he said.

The war in Ukraine has also seen an increase in hacktivism, as cyber groups and volunteers take sides in the conflict. “This conflict is undoubtably going to produce battle-hardened cyber hacktivists, and even mercenaries, that will attack for profit,” said Altman.

Nation states, which continue to conduct cyberattacks for espionage, are “pushing up against the acceptable boundaries of what is acceptable in cyber space”, according to Altman. “Nation states are increasingly aligning along ideological lines in cyber space, crafting ways to isolate their internet space. This in turn creates clearer battlefield lines that we have not previously had in cyber,” he said.

Authoritarian governments – namely Russia, China and Iran – are isolating their citizens from the global internet, a trend that has accelerated since the war in Ukraine. Russia, for example, is building its own “isolated, totalitarian internet”, explained Altman. This “fracturing of the global public internet” will create “intelligence blindspots” and “safe havens” for cybercriminals, he warned.

“Consequently, we are at more risk today of experiencing catastrophic cyberattacks directly as a result of cyber intelligence miscalculation, error and blindspots,” he said.

War between nation states could cause unintended collateral damage, continued Altman. For example, a cyberattack against internet service provider and satellite company Viasat, which provides services in Ukraine, also affected users in Europe and caused disruption to a German windfarm.

In addition to the war in Ukraine, CyberCube highlights two other “regional hotbeds” of dangerous cyber activity as tensions mount between China and Taiwan, and Israel and Iran.

“Insurers can look at these hotbeds for the type of activity that is indicative of catastrophic risk. For example, the use of wiper malware and attacks on critical infrastructure are all playing out in these conflicts today,” said Altman.

The cyber battlefield between Israel and Iran is extremely active, with attacks against governments, citizens and critical infrastructure, according to Altman. In June, Iran’s state-owned Khuzestan Steel Company halted production after it was hit by a cyberattack. Hacking group Predatory Sparrow is thought to be behind the attack, which reportedly caused a fire at the steel plant.

China will continue to be aggressive in cyberspace and is becoming more focused in its cyber activities, according to Altman.

“China has shown its willingness to scale its operations and take steps it was previously unwilling to take. As geopolitical tensions rise – especially between China and Taiwan and its allies – the big question on our minds over the next six months is whether China flexes some of its known, yet untested-to-date, cyber capabilities,” he said.

Back to top button