ESET researchers uncover a new wiper that attacks Ukrainian organizations and a worm component that spreads HermeticWiper in local networks
As the recent hostilities started between Russia and Ukraine, ESET researchers discovered several malware families targeting Ukrainian organizations.
- On February 23rd, 2022, a destructive campaign using HermeticWiper targeted multiple Ukrainian organizations.
- This cyberattack preceded, by a few hours, the start of the invasion of Ukraine by Russian Federation forces
- Initial access vectors varied from one organization to another. We confirmed one case of the wiper being dropped by GPO, and uncovered a worm used to spread the wiper in another compromised network.
- Malware artifacts suggest that the attacks had been planned for several months.
- On February 24th, 2022, a second destructive attack against a Ukrainian governmental network started, using a wiper we have named IsaacWiper.
- ESET Research has not yet been able to attribute these attacks to a known threat actor.
Destructive attacks in Ukraine
As stated in this ESETResearch tweet and WLS blogpost, we uncovered a destructive attack against computers in Ukraine that started around 14:52 on February 23rd, 2022 UTC. This followed distributed denial-of-service (DDoS) attacks against major Ukrainian websites and preceded the Russian military invasion by a few hours.
These destructive attacks leveraged at least three components:
- HermeticWiper: makes a system inoperable by corrupting its data
- HermeticWizard: spreads HermeticWiper across a local network via WMI and SMB
- HermeticRansom: ransomware written in Go
HermeticWiper was observed on hundreds of systems in at least five Ukrainian organizations.
On February 24th, 2022, we detected yet another new wiper in a Ukrainian governmental network. We named it IsaacWiper and we are currently assessing its links, if any, with HermeticWiper. It is important to note that it was seen in an organization that was not affected by HermeticWiper.
Attribution
At this point, we have not found any tangible connection with a known threat actor. HermeticWiper, HermeticWizard, and HermeticRansom do not share any significant code similarity with other samples in the ESET malware collection. IsaacWiper is still unattributed as well.
Timeline
HermeticWiper and HermeticWizard are signed by a code-signing certificate (shown in Figure 1) assigned to Hermetica Digital Ltd issued on April 13th, 2021. We requested the issuing CA (DigiCert) to revoke the certificate, which it did on February 24th, 2022.
According to a report by Reuters, it seems that this certificate was not stolen from Hermetica Digital. It is likely that instead the attackers impersonated the Cypriot company in order to get this certificate from DigiCert.
ESET researchers assess with high confidence that the affected organizations were compromised well in advance of the wiper’s deployment. This is based on several facts:
- HermeticWiper PE compilation timestamps, the oldest being December 28th, 2021
- The code-signing certificate issue date of April 13th, 2021
- Deployment of HermeticWiper through GPO in at least one instance suggests the attackers had prior access to one of that victim’s Active Directory servers
The events are summarized in the timeline in Figure 2.
Initial access
HermeticWiper
The initial access vector is currently unknown but we have observed artifacts of lateral movement inside the targeted organizations. In one entity, the wiper was deployed through the default domain policy (GPO), as shown by its path on the system:
C:Windowssystem32GroupPolicyDataStore