Infosec leaders should pay attention to two newly-found data wipers used against organizations in Ukraine in case the threat groups behind them turn these weapons against other countries.
The malware have been dubbed HermeticWiper and IsaacWiper by researchers at ESET, which published a report today on the discoveries.
HermeticWiper was executed against multiple Ukrainian organizations on February 23rd, just hours before troops from Russia invaded that country. The next day IsaacWiper, which has different code, was launched against a Ukrainian government network.
ESET can’t attribute these attacks to a known threat actor or threat actors. However, in an interview today Alexis Doras-Joncas, head of ESET’s Montreal research and development office, said that given the fact that these are new pieces of malware aimed at Ukraine, the odds are more likely they came from a Russian or Russian sympathizing threat actor than anyone else.
ESET’s Montreal team is part of the cybersecurity company’s group of researchers who are investigating the two pieces of wiperware.
Doras-Joncas said IT leaders should at least test their current security postures against the indicators of compromise included in the ESET report. “It’s not a silver bullet, but at least it confirms their [cybersecurity] solutions properly protect against that malware.”
In addition, he added, infosec teams need to pay attention to alarms set off by their systems. “Oftentimes in general cyber-attacks, we’ll see ransomware executed in a network and there were signs days or even weeks leading to that event, but nobody paid attention to suspicious activity that the network was compromised.” Then suddenly the ransomware is deployed.
HermeticWiper is actually a family of “Hermetic” malware, which includes HermeticWizard (a worm for spreading HermeticWiper across an internal network) and HermeticRansom (ransomware written in the Go language). HermeticRansom was described last week by researchers at Avast.
Doras-Joncas said it isn’t immediately clear why a ransomware component was created, unless it is to divert attention away from the destructive wiperware eating away at another part of a network.
The Hermetic family gets its name from the use of a code-signing certificate assigned by DigiCert to a company in Cyprus called Hermetica Digital. ESET quotes a report from Reuters that says this certificate was likely obtained by the threat actor tricking DigiCert, as opposed to stealing it.
Acting on a request from ESET, DigiCert revoked the certificate on February 24th.
HermeticWiper has been seen on hundreds of computers in at least five Ukrainian organizations, ESET said, and likely was there long before it was executed on February 24th.
It isn’t known how the five organizations were initially compromised. However, in at least one instance HermeticWiper was deployed through a group policy object via Windows Active Directory. That suggests the threat actor must have had access to that victim’s Active Directory servers.
HermeticWiper uses four drivers from the EaseUS Partition Master for its operations. It disables Windows’ Volume Shadow Copy Service before wiping data, then wipes evidence of itself from disks.
The report says little about IsaacWiper, other than it uses the known Isaac algorithm to encrypt data.
This isn’t the first report on wiper malware used in Ukraine. In January Microsoft issued a report on destructive malware designed to look like ransomware that it calls WhisperGate that hit multiple government, non-profit, and information technology organizations in Ukraine. The two-stage malware overwrites the Master Boot Record (MBR) on victim systems with a ransom note. The ransomware note is a ruse; what’s really going on is the malware destructs MBR and the contents of the files it targets.
Also on Tuesday the U.S. Cybersecurity and Infrastructure Security Agency (CISA) and the FBI issued an updated alert on wiper malware used against Ukraine. It includes recommended mitigations.