Analog warfare has its counterpart in the virtual universe. Proof of this are the cyberattacks that have been identified in recent days on Ukrainian and Russian organizations. In this case, a new attack with destructive intent targeting computers in Ukraine was identified that began on February 23, 2022.
This occurred after the distributed denial of service (DDoS) attacks against some of the main Ukrainian websites and a few hours after the Russian military invasion, according to details from the Eset company that identified and reported this incident.
These attacks with destructive objectives used at least three components: HermeticWiper (detected on hundreds of systems and in at least five Ukrainian organizations), which renders a system inoperable by corrupting its data; HermeticWizardwhich distributes HermeticWiper over a local network via WMI and SMB and Hermetic Ransom, a ransomware written in Go.
On February 24, 2022, the research team detected another new wiper-type malware (which erases all content/information) on a Ukrainian government network. They called him Isaac Wiper. This malware is found in a Windows DLL or EXE file without an Authenticode signature; and according to research IsaacWiper may have been used months ago in previous operations.
On February 25, 2022, heThe attackers used a new version of IsaacWiper with debugging logs. This may indicate that the attackers were unable to perform the wipe on some of the previously targeted machines and added log messages to understand what was happening.
“This report details what was a destructive cyberattack that hit Ukrainian organizations on February 23, 2022 and a second attack that hit a different Ukrainian organization and occurred from February 24-26, 2022. At this time, we have no indication that other countries have been attacked. However, Due to the ongoing crisis in Ukraine, there is still a risk that the same threat actors will launch new campaigns against countries that back the Ukrainian government.or that they sanction Russian entities”, they conclude from the research team.
They are currently evaluating their links, if any, with HermeticWiper. It is important to note that IsaacWiper was detected in an organization that had not been affected by HermeticWiper. For now, it has been seen that they do not share any significant code similarity with other samples that make up the malware collection of the cybersecurity company.
“It has no code similarity to HermeticWiper and is much less sophisticated. Given the timeline of events, it’s possible the two are related, but we haven’t found any solid connection yet. that allows us to affirm it.”, they mention from Eset.
HermeticWiper and HermeticWizard were signed using a code signing certificate assigned to Hermetica Digital Ltd issued on April 13, 2021. The company applied to the certification authority (DigiCert) to revoke the certificate, which it did on February 24, 2022. According to a Reuters report, it appears that this certificate was not stolen from Hermetica Digital, but that the attackers probably posed as the Cypriot company to obtain this certificate from DigiCert.
The researchers claim that the affected organizations were compromised long before these wipers were distributed..
The researchers also detected the use of HermeticRansom, a ransomware written in Go, in attacks on Ukraine at the same time as the HermeticWiper campaign was running. HermeticRansom was first reported during the early hours of February 24, 2022 UTC, via a tweet.