Another round of ‘wiper’ malware appears in Ukrainian networks
Security researchers detected new destructive malware spreading in Ukraine on Wednesday, following evidence of distributed denial-of-service disruptions for government agencies — both of which overlapped with the beginnings of a Russian invasion.
ESET said the data-wiping malware it has dubbed “HermeticWiper” was “installed on hundreds of machines in the country,” and there were signs that the attackers had been preparing for almost two months.
Silas Cutler, principle reverse engineer and resident hacker at Stairwell, said that the wiper damages a system’s master boot record, which tells a machine how to start up. That’s similar to malware known as WhisperGate that was used in an attack in January in Ukraine.
Broadcom Software’s Symantec, too, observed the wiper in action, and Vikram Thakur, technical director at Symantec Threat Intelligence, confirmed to CyberScoop that it has seen it in Latvia and Lithuania as well. Thakur said Symantec had seen targets among the finance sector and government contractors.
Juan-Andres Guerrero-Saade, principal threat researcher at SentinelOne, said the wiper appeared to be more dangerous than the malware uncovered in January. “They’re using multiple redundant methods to trash the systems,” he wrote to CyberScoop. “Much more concerted than WhisperGate or any of the wipers we’ve seen recently.”
None of the researchers on Wednesday named specific victims or targets, or attributed who was behind the malware.
“We cannot comment specifically on the targets to protect the victims, but these were large organizations that have been affected,” Jean-Ian Boutin, head of threat research at Slovakia-based ESET, said in an email to CyberScoop. “We also cannot give attribution based on information that is available to us but the attack appears to be related to the ongoing crisis in Ukraine. We assume that the malware was successful in its wiping capability and that the affected machines were wiped.”
The wiper discovery added to a chaotic day of conflict in Ukraine. It also continued a cycle of attacks on the country’s digital infrastructure, including DDoS disruptions of banking and government websites. The earlier wiper that researchers found in Ukrainian government systems in January, WhisperGate, also bore similarities to the NotPetya malware that caused billions in damage worldwide.
White House press secretary Jen Psaki said Wednesday the U.S. has been in touch with Ukraine about the cyber-incidents there, the same day the U.K. and U.S. warned about the Russian hacker group Sandworm retooling. Ukraine Cyberpolice said the digital assaults have taken on a sustained pace there, and directly blamed Russia for some of the attacks.
“DDOS attacks have been going on continuously since February 15,” the organization said in a statement. “At the same time, phishing attacks on public authorities and critical infrastructure, the spread of malicious software, and attempts to penetrate private and public sector networks have intensified.”
The police continued: “Attackers use botnets for phishing and DDOS attacks, which Ukrainian intelligence services identify as linked to hacker groups supported by the Russian government.”
Accompanying those attacks are reports of threatening text messages to Ukrainian soldiers, layering on additional dimensions of multi-front hostilities.
AJ Vicens contributed to this story.
Updated, 2/23/22: to include additional information from ESET, SentinelOne and Symantec.
This story was featured in CyberScoop Special Report: War in Ukraine