A large-scale cyberattack targeted Ukraine shortly before the launch of the ground offensive. A new malware in preparation for months seems to testify that the operation was orchestrated well in advance.
HermeticWiper: New Russian malware
In parallel with its military attacks on the country, Russia is engaged in a veritable cyberwar against Ukraine . The country seems to have prepared its hybrid war well in advance, as evidenced by the use of brand new “wiper” malware . It was reported by cybersecurity researchers from Symantec and ESET, and named HermeticWiper or Trojan .Killdisk.
The intention this time is not to temporarily interrupt certain services, nor disinformation, but indeed the destruction of data. A wiper is a special type of malware whose sole function is to erase the contents of the hard drive, deleting data and damaging the operating system . The device will therefore no longer be able to start without a complete reinstallation. The malware notably targets financial institutions as well as companies working for the government. However, it is not only targeting targets in Ukraine. Organizations in Latvia and Lithuania were also victims of the wiper.
An attack that targets organizations’ computer networks
HermeticWiper was so named because its executable file is signed by a certificate issued to Hermetica Digital Ltd. Specialists are still analyzing the program, but they were able to determine that it uses a certificate-signed driver from EaseUS Partition Master software installed as a Windows service. The malware will then corrupt the files on the hard disk and damage the partition table and the Master Boot Record (MBR), the boot area of the hard disk. The last step is to restart the machine which will not be able to start.
In at least one of the attacks, the hackers did not target individual computers. They directly used the domain controller to distribute the malware . ” In one of the targeted organizations, the wiper was installed via the default GPO (domain policy), meaning the attackers likely took control of the Active Directory server ,” ESET claimed in a series of tweets.
An offensive prepared in advance
The malware authors appear to have been planning their attack for months. The compilation date of one of the malware samples is December 28, 2021. However, an organization in Lithuania was targeted by HermeticWiper as early as Tuesday, February 22, and the ground seems to have been prepared well in advance. The first traces of infiltration in their network date back to November 12, 2021, but no action was taken for several months until the malware was installed.
Another peculiarity of this attack is that a ransomware (or ransomware ) was deployed in parallel, no doubt to create a diversion and better hide the wiper. This is the same strategy from the attack in January, dubbed WhisperGate , which also attempted to hide wiper-type malware behind ransomware. This new wiper, however, was designed to be much more devastating.
