Companies Prepare for Fallout From Cyberattacks Against Ukraine

Hackers in recent weeks have defaced dozens of Ukrainian government websites and disabled computer systems in at least two of its agencies using destructive malware known as WhisperGate. Security officials at Microsoft Corp. , which analyzed the malware used, said it had affected “multiple government, nonprofit and information technology organizations, all based in Ukraine.”

Microsoft declined to comment further. Ukrainian officials have blamed Russia or its agents for the attacks. The Kremlin has denied involvement.

The worst-case scenario, cybersecurity experts warn, would be escalating breaches that mimic the 2017 NotPetya attack on a Ukrainian accounting firm that allowed hackers to rampage across other corporate networks, eventually causing an estimated $10 billion in global damage.

“I put my team on high alert right now. This is not the first time we’d see a political situation resulting in cyberattacks,” said Selim Aissi, chief information security officer of Blackhawk Network Holdings Inc., a fintech company based in Pleasanton, Calif.

Blackhawk doesn’t do business in Ukraine, Mr. Aissi said, but that doesn’t mean the company is shielded from cyberattacks related to that country. Employees who work in the company’s security operations center, or SOC, are working in shifts as they watch governments’ security alerts and tweak tools to scan for evidence of hacks.

“Making sure you always have someone on guard is very critical in times like this,” Mr. Aissi said. “We have to watch for new ransomware variants. We have to watch for any other nation-state activities.”

Cyberattacks are central to modern warfare and they can quickly metastasize across a global economy reliant on tightly connected technology supply chains. The upshot is that the digital blast radius for potential victims is widening, said Scott Algeier, executive director of the Information Technology Information Sharing and Analysis Center.

Mr. Algeier, whose nonprofit informs IT companies about security threats, said it is regularly communicating with its members about Ukraine. An organization dedicated to protecting utilities, the Electricity Information Sharing and Analysis Center, said it is doing the same.

“We need to prepare for the real possibility that the techniques being used against Ukraine will be used against the U.S. and others,” Mr. Algeier said.

U.S. officials say they are considering new sanctions and export controls aimed at hobbling the Russian economy should the Kremlin decide to advance its troops into Ukraine. If Russia launches cyberattacks against the country, President Biden said last week, “we can respond the same way, with cyber.”

Officials in countries including the U.K., Canada and the U.S. in recent weeks have urged companies to harden their security measures to ward off a potential escalation in Russia-backed cyberattacks.

The U.S. Cybersecurity and Infrastructure Security Agency compared the potential effects of the WhisperGate malware observed in Ukraine to the 2017 NotPetya hack. That attack, which the White House later attributed to the Russian military, led to hundreds of millions of dollars in expenses and lost sales at companies such as FedEx Corp. , drugmaker Merck & Co. and Danish shipping giant A.P. Moller-Maersk A/S.

U.S. officials worry about disruptions to companies that provide critical infrastructure, such as utilities or transportation, fearing that a far-off geopolitical conflict could affect daily life in the U.S.

In a Jan. 18 alert to businesses, CISA said, “If working with Ukrainian organizations, take extra care to monitor, inspect, and isolate traffic from those organizations; closely review access controls for that traffic.”

CNN reported that the Department of Homeland Security on Sunday issued a separate alert warning of cyberattacks targeting U.S. organizations in response to Washington’s pressure on Russia. DHS didn’t respond to a request for comment and CISA, an arm of DHS, declined to comment further.

Write to David Uberti at [email protected] and Kim S. Nash at [email protected]