0
HomeTech NewsRussia uses neverseen malware in Ukraine War

Russia uses neverseen malware in Ukraine War

A large-scale cyberattack targeted Ukraine shortly before the launch of the ground offensive. A new malware in preparation for months seems to testify that the operation was orchestrated well in advance.

 

HermeticWiper: New Russian malware

In parallel with its military attacks on the country, Russia is engaged in a veritable cyberwar against Ukraine . The country seems to have prepared its hybrid war well in advance, as evidenced by the use of brand new “wiper” malware . It was reported by cybersecurity researchers from Symantec and ESET, and named HermeticWiper or Trojan .Killdisk.

The intention this time is not to temporarily interrupt certain services, nor disinformation, but indeed the destruction of data. A wiper is a special type of malware whose sole function is to erase the contents of the hard drive, deleting data and damaging the operating system . The device will therefore no longer be able to start without a complete reinstallation. The malware notably targets financial institutions as well as companies working for the government. However, it is not only targeting targets in Ukraine. Organizations in Latvia and Lithuania were also victims of the wiper.

russian-ukraine-hacker-min-min

An attack that targets organizations’ computer networks

HermeticWiper was so named because its executable file is signed by a certificate issued to Hermetica Digital Ltd. Specialists are still analyzing the program, but they were able to determine that it uses a certificate-signed driver from EaseUS Partition Master software installed as a Windows service. The malware will then corrupt the files on the hard disk and damage the partition table and the  Master Boot Record (MBR), the boot area of the hard disk. The last step is to restart the machine which will not be able to start.

In at least one of the attacks, the hackers did not target individual computers. They directly used the domain controller to distribute the malware . ”  In one of the targeted organizations, the wiper was installed via the default GPO (domain policy), meaning the attackers likely took control of the Active Directory server  ,” ESET claimed in a series of tweets.

An offensive prepared in advance

The malware authors appear to have been planning their attack for months. The compilation date of one of the malware samples is December 28, 2021. However, an organization in Lithuania was targeted by HermeticWiper as early as Tuesday, February 22, and the ground seems to have been prepared well in advance. The first traces of infiltration in their network date back to November 12, 2021, but no action was taken for several months until the malware was installed.

Another peculiarity of this attack is that a ransomware (or ransomware ) was deployed in parallel, no doubt to create a diversion and better hide the wiper. This is the same strategy from the attack in January, dubbed WhisperGate , which also attempted to hide wiper-type malware behind ransomware. This new wiper, however, was designed to be much more devastating.

Published Date:

Mehmet is one of the administrator of Teknonel. As a software developer, he loves to share his knowledge in related topics. He is highly familiar with the editorial process from the inception of an article idea, through the iterative process, publishing, and performance analysis as well as product reviews.

Popular in This Category

Related Articles