Ukraine continues to be targeted with wiper malware

In the wake of the Russian invasion of Ukraine, ESET researchers have discovered new wiper malware families used in targeted cyberattacks on Ukrainian organizations.

The first cyberattack started a few hours before the Russian invasion with massive DDoS attacks against major Ukrainian websites. Some of the new types of malware were also used in the course of these attacks: HermeticWiper for data deletion, HermeticWizard for distribution in the local network and HermeticRansom as decoy ransomware. With the start of the Russian invasion, a second attack began against a Ukrainian government network, also using a wiper. ESET researchers named this IsaacWiper. The malware artifacts indicate that the actions had been planned for several months. So far, the experts from the European IT security manufacturer have not been able to assign the attacks to a known hacker group. It cannot be ruled out that sooner or later the malware will also be used outside of Ukraine. The experts have published their further analyzes on WeLiveSecurity.

“We are currently investigating whether there is a connection between IsaacWiper and HermeticWiper. IsaacWiper was detected at a Ukrainian government organization that was not affected by HermeticWiper,” says Jean-Ian Boutin, ESET Head of Threat Research.

Attacks planned well in advance

The ESET researchers assume that the affected organizations were compromised long before the wiper was used. “This assessment is based on several facts: the HermeticWiper compilation timestamps, the oldest of which is December 28, 2021; the code signing certificate issue date of April 13, 2021; and the deployment of HermeticWiper via the default domain policy in at least one instance, which suggests the attackers previously had access to one of the victim’s Active Directory servers,” Boutin continued. IsaacWiper appeared in ESET telemetry on February 24th. The oldest compilation timestamp found was October 19, 2021, which means that if the timestamp has not been tampered with, IsaacWiper may have been used months earlier in previous operations.

Another wave of attacks with IsaacWiper

Just one day after using IsaacWiper, the attackers released a new version with debug logs. This could indicate that the attackers were not able to delete some of the targeted machines and added log messages to understand what happened. ESET researchers have not been able to link these attacks to a known threat actor as there are no significant code similarities to other samples in the ESET malware collection.

HermeticWiper spreads in attacked organizations

In the case of HermeticWiper, ESET observed evidence of lateral movement of the malware within the targeted organizations and determined that the attackers likely took control of an Active Directory server. A custom worm, which ESET researchers dubbed HermeticWizard, was used to proliferate the wiper on the compromised networks. For the second wiper – IsaacWiper – the attackers used RemCom, a remote access tool, and possibly Impacket to move inside the network.

Also, HermeticWiper erases itself from disk by overwriting its own file with random bytes. This anti-forensic measure is probably intended to prevent analysis of the wiper after an incident. The decoy ransomware HermeticRansom was deployed at the same time as HermeticWiper, possibly to obfuscate the wiper’s actions. The term “Hermetic” is derived from Hermetica Digital Ltd. ab, a Cypriot company to which the Code Signing Certificate was issued. According to a Reuters report, this certificate appears not to have been stolen from Hermetica Digital. Rather, it is more likely that the attackers posed as the Cypriot company in order to obtain this certificate from DigiCert. ESET Research asked the issuing company DigiCert to revoke the certificate immediately.

Process of cyber attacks on Ukraine

    • On February 23rd HermeticWiper malware (along with HermeticWizard and HermeticRansom) was used against several Ukrainian government agencies and organizations. This cyber attack comes just hours before the start of the Russian invasion of Ukraine.
    • HermeticWiper erases itself from disk by overwriting its own file. This procedure is intended to make the analysis of the incident more difficult.
    • HermeticWiper is distributed on compromised local area networks by a custom worm we have named HermeticWizard.
    • On February 24thr launched a second wave of attacks against a Ukrainian government network, also using a wiper that ESET calls the IsaacWiper.
    • On February 25th the attackers released a new version of IsaacWiper with debug logs indicating that they were unable to wipe some of the targeted machines.
    • Analysis results indicate that the attacks had been planned for several months.
    • ESET security experts have not yet been able to assign these attacks to a hacker group.

Further information:

The ESET researchers have published their detailed analysis of the two wiper malware on WeLiveSecurity.