Along with his attackson the country, Russia is engaged in a veritable . The country seems to have prepared its war well in advance, as evidenced by the use of a brand new wiper type. It was reported by cybersecurity researchers from Symantec and ESET, and named HermeticWiper or .Killdisk.
The intention this time is not to temporarily interrupt certain services, nor disinformation, but indeed the destruction of data.is a particular type of malware whose only function is to erase the contents of the hard drive, deleting data and damaging the . The device will therefore no longer be able to start without a complete reinstallation. The malware notably targets financial institutions as well as companies working for the government. However, it is not only targeting targets in Ukraine. Organizations in Latvia and Lithuania were also victims of the wiper.
Breaking. #ESETResearch discovered a new data wiper malware used in Ukraine today. ESET telemetry shows that it was installed on hundreds of machines in the country. This follows the DDoS attacks against several Ukrainian websites earlier today 1/n
– ESET research (@ESETresearch) February 23, 2022
An attack that targets organizations’ computer networks
HermeticWiper was so named because its executable file is signed by aattributed to Hermetica ltd. Specialists are still analyzing the program, but they were able to determine that it uses a driver signed by a certificate from the EaseUS Master installed as a Windows service. the will then corrupt the files on the hard disk and damage the partition table and the Master Boot Record (MBR), the boot area of the hard disk. The last step is to restart the machine which will not be able to start.
In at least one of the attacks, the hackers did not target individual computers. They directly used the domain controller to distribute. « In one of the targeted organizations, the wiper was installed through the default GPO (domain policy), meaning the attackers had likely taken control of the Active Directory server ESET asserted in a series of tweets.
Update on #wiper attacks against #ukraine. In some attacks ransomware was also deployed against affected organizations at the same time as the wiper, likely as a decoy or distraction. https://t.co/FponqLk5Vu IOC: 4dc13bb83a16d4ff9865a51b3e4d24112327c526c1392e14d56f20d6f4eaf382
— Threat Intelligence (@threatintel) February 24, 2022
An offensive prepared in advance
The malware authors appear to have been planning their attack for months. The compilation date of one of the malware samples is December 28, 2021. However, an organization in Lithuania was targeted by HermeticWiper as early as Tuesday, February 22, and the ground seems to have been prepared well in advance. The first traces of infiltration in their network date back to November 12, 2021, but no action was taken for several months until the malware was installed.
Another peculiarity of this attack is that a ransomware (or) was deployed in parallel, presumably to create a diversion and better hide the wiper. This is the same strategy of the attack in January, baptized , which also attempted to hide wiper-type malware behind ransomware. This new wiper, however, was designed to be much more devastating.