From destructive wipers and malware disguised as anti-virus, Ukraine is suffering from cyber attacks against its own infrastructure and organizations. However, all is not quiet elsewhere in the world, as cyber threat actors do what they do best – never pass up a crisis to spread their “wares.” Whether threat actors are sympathetic to or supportive of either side, there are many who opportunistically use relevant themed subjects in emails as scams or phishing lures to steal information or deliver malware, including ransomware. Likewise, cyber threat intelligence analysts at Accenture pontificate that despite being quiet thus far, the sympathetic divisions that has developed among threat actors could contribute to “mounting risk for Western organizations as pro-Kremlin criminal groups adopt quasi-hacktivist tactics to choose their next victims. Organizations in the government, media, finance, insurance, utilities and resources sectors should be braced for more attacks.”

While CISA is still not aware of any specific credible threats to the U.S. homeland, given the on-going invasion and potential for state-sponsored or opportunistic cyber criminal actions to impact organizations outside of Ukraine, members are encouraged to maintain vigilance and awareness for threats attempting to leverage the current conflict, implement cybersecurity measures, and be prepared to respond to disruptive cyber attacks.

Recent cyber activity against Ukraine

• Ukraine's Computer Emergency Response Team is warning that threat actors are distributing fake Windows antivirus updates that install Cobalt Strike and other malware.
• More destructive wiper malware. In addition to WhisperGate, HermeticWiper, and IsaacWiper, ESET’s security researchers have identified another data wiper targeting Ukrainian organizations.

Members are encouraged to review CISA’s Shields Up, Shields Up Technical Guidance, and previously published WaterISAC and EPA webinars and advisories for cybersecurity measures and relevant resources.

Prior WaterISAC and EPA Webinars and Advisories

• U.S. EPA-WaterISAC Joint Notification on Protecting VSAT Networks and Communications
• U.S. EPA-WaterISAC Advisory on Potential Threat to Critical Infrastructure
• EPA-WaterISAC Webinar: Cybersecurity Recommendations in Consideration Russian State-Sponsored Cyber Operations Against U.S. Critical Infrastructure
• (TLP:AMBER) U.S. EPA-WaterISAC Advisory on Recommendations in Consideration of Russian Cyber Operations
• (TLP:WHITE) Joint Cybersecurity Advisory (AA22-011A) Issued to U.S. Critical Infrastructure for Understanding and Mitigating Russian State-Sponsored Cyber Threats

Incident Reporting
WaterISAC encourages all utilities that have experienced malicious or suspicious activity to email analyst@waterisac.org, call 866-H2O-ISAC, or use the confidential online incident reporting form. Reporting to WaterISAC helps utilities and stakeholders stay aware of the threat environment of the sector.