By Staff Writer.
Threat actors are using data wiping malware named HermeticWiper to attack government and non-government organisations inside Ukraine. The online attack coincides with Russian troops moving into the country.
Cybersecurity firm ESET Research discovered the malware on Wednesday. ESET telemetry revealed that the attackers have installed the malware on hundreds of machines in Ukraine. The discovery followed a distributed denial-of-service (DDoS) attack earlier in the day that targeted government and banking organisations inside the country.
ESET says the wiper abuses legitimate drivers from the EaseUS Partition Master software to corrupt data. The malware works to corrupt the master book record of physical drives and every partition on those drives.
The cybersecurity firm adds that the wiper was dropped via the default (domain policy) GPO in at least one of the targeted organisations, meaning that attackers had likely taken control of the active directory server.
While ESET uncovered the malware mid-afternoon on Wednesday (UTC time), they note the portable executable (PE) compilation timestamp of one of the malware samples is December 28, 2021, indicating a substantial timeline and level of planning for this attack.
This is the second significant malware attack aimed at Ukraine this year. In January, threat actors used wiper malware called WhisperGate to deface Ukrainian government websites.
Lavi Lazarovitz, Head of Security Research, at CyberArk Labs says Hermetic Wiper isn’t your average piece of malware.
“Our team has identified a few specific characteristics that make this malware unique, including that the attacks so far have been very targeted in nature and that the infections seen to date leverage compromised identities to move laterally, all leading to the potential for strong initial foothold based on their nature,” he says.
Lazarovitz notes the malware does not leverage supply chain vulnerabilities or other super-spreader techniques, suggesting that the malware will not spread quickly. He highlights the reported case where the cyber-attackers had privileged access to the target’s active directory. He says that’s relatively unusual, but has been seen before in targeted human-operated incidents like the 2021 REvil group attack on Kaseya.
“It’s important to note that the wiper leverages high privileges on the compromised host to make the host “unbootable” by overriding the boot records and configurations, erasing device configurations, and deleting backups,” Lazarovitz adds.
“It appears that the wiper is configured not to encrypt domain controllers – that is, to keep the domain running and allow the ransomware to use valid credentials to authenticate to servers and encrypt those. This further highlights that the threat actors use compromised identities to access the network and/or move laterally.”
Cybersecurity company Symantec also came across HermeticWiper this week as it monitored the unfolding military and cyber threat situation in Ukraine.
They say targets included organisations in the financial, defence, aviation, and IT services sectors. Symantec also notes there is evidence of wiper attacks in Lithuania but adds the malware does not seem to have any functionality beyond its destructive capabilities.
While suspicions fall on Russia or Russian backed threat actors, HermeticWiper is yet to be attributed to a specific group.
“Initial indications suggest that the attacks may have been in preparation for some time,” adds Symantec. “Temporal evidence points to potentially related malicious activity beginning as early as November 2021. However, we are continuing to review and verify findings.”