Destructive Malware Used to Target Ukraine Poses Threat to Healthcare

February 28, 2022 - The Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) released a joint advisory to warn organizations about HermeticWiper and WhisperGate malware, two destructive malware variants that have been used to target organizations in Ukraine.

HHS’ Health Sector Cybersecurity Coordination Center (HC3) urged healthcare organizations to remain on high alert due to the destructive nature of HermeticWiper malware. Threat actors deployed HermeticWiper malware against systems in Latvia, Lithuania, and Ukraine hours before Russia’s invasion of Ukraine.

Although there have been no reports of HermeticWiper being used against US organizations, the severity of this malware variant poses a significant threat to all organizations. Both WhisperGate and HermeticWiper were designed to render targeted systems completely inoperable.

“Destructive malware can present a direct threat to an organization’s daily operations, impacting the availability of critical assets and data,” CISA’s advisory stated.

“Further disruptive cyberattacks against organizations in Ukraine are likely to occur and may unintentionally spill over to organizations in other countries. Organizations should increase vigilance and evaluate their capabilities encompassing planning, preparation, detection, and response for such an event.”

The American Hospital Association (AHA) recently warned that healthcare organizations could be at risk from cyber threats as geopolitical tensions rise. Along with being targeted intentionally, AHA said that “hospitals and health systems may become incidental victims of, or collateral damage to, Russian-deployed malware or destructive ransomware that inadvertently penetrates U.S. health care entities.”

In January, CISA, the FBI, and the National Security Agency (NSA) issued a joint advisory warning all US critical infrastructure entities of Russian state-sponsored advanced persistent threat (APT) actors.

Russian APT actors have been known to target operational technology (OT) or industrial control systems (ICS) with malware in the past, making it even more likely that Russian state-sponsored actors will continue to leverage cyberattacks as its invasion of Ukraine continues.

In the most recent advisory, CISA and the FBI urged organizations to improve their cyber resiliency and implement technical safeguards against HermeticWiper and WhisperGate.  

“Destructive malware may use popular communication tools to spread, including worms sent through email and instant messages, Trojan horses dropped from websites, and virus-infected files downloaded from peer-to-peer connections. Malware seeks to exploit existing vulnerabilities on systems for quiet and easy access,” the advisory stated.

“The malware has the capability to target a large scope of systems and can execute across multiple systems throughout a network. As a result, it is important for organizations to assess their environment for atypical channels for malware delivery and/or propagation throughout their systems.”

All organizations should patch systems, install antivirus software, ensure proper network segmentation, and require multi-factor authentication. Maintaining reliable incident response and business continuity plans is also crucial to ensuring security and navigating heightened security concerns.