During the Russian invasion, another malicious program, IsaacWiper, appeared after HermeticWiper. They are aimed directly at Ukrainian organizations. In addition, attacks are carried out with the HermeticWizard malware for distribution in the local network and HermeticRansom as decoy ransomware.
In the wake of the Russian invasion of Ukraine, ESET researchers have discovered new wiper malware families used in targeted cyber attacks on Ukrainian organizations. The first cyberattack started a few hours before the Russian invasion with massive DDoS attacks against major Ukrainian websites. Some of the new types of malware were also used in the course of these attacks: HermeticWiper for data deletion, HermeticWizard for distribution in the local network and HermeticRansom as decoy ransomware.
DDoS attacks and HermeticWiper are just the beginning
With the start of the Russian invasion, a second attack began against a Ukrainian government network, also using a wiper. ESET researchers named this IsaacWiper. The malware artifacts indicate that the actions had been planned for several months. So far, the experts from the European IT security manufacturer have not been able to assign the attacks to a known hacker group. It cannot be ruled out that sooner or later the malware will also be used outside of Ukraine.
“We are currently investigating whether there is a connection between IsaacWiper and HermeticWiper. IsaacWiper was detected at a Ukrainian government organization that was not affected by HermeticWiper,” says Jean-Ian Boutin, ESET Head of Threat Research.
Attacks planned well in advance
The ESET researchers assume that the affected organizations were compromised long before the wiper was used. “This assessment is based on several facts: the HermeticWiper compilation timestamps, the oldest of which is December 28, 2021; the Code Signing Certificate issue date of April 13, 2021; and the deployment of HermeticWiper via the default domain policy in at least one case. This indicates that the attackers previously had access to one of the victim's Active Directory servers," Boutin continued.
IsaacWiper appeared in ESET telemetry on February 24th. The oldest compilation timestamp found was October 19, 2021, which means that if the timestamp has not been tampered with, IsaacWiper may have been used months earlier in previous operations.
Another wave of attacks with IsaacWiper
Just one day after using IsaacWiper, the attackers released a new version with debug logs. This could indicate that the attackers were not able to delete some of the targeted machines and added log messages to understand what happened. ESET researchers have not been able to link these attacks to a known threat actor as there are no significant code similarities to other examples in the ESET malware collection.
HermeticWiper spreads in attacked organizations
In the case of HermeticWiper, ESET observed evidence of lateral movement of the malware within the targeted organizations and determined that the attackers likely took control of an Active Directory server. A custom worm, which ESET researchers dubbed HermeticWizard, was used to proliferate the wiper on the compromised networks. For the second wiper - IsaacWiper - the attackers used RemCom, a remote access tool, and possibly Impacket to move inside the network.
Also, HermeticWiper erases itself from disk by overwriting its own file with random bytes. This anti-forensic measure is probably intended to prevent analysis of the wiper after an incident. The decoy ransomware HermeticRansom was deployed at the same time as HermeticWiper, possibly to obfuscate the wiper's actions.
The term "Hermetic" is derived from Hermetica Digital Ltd. ab, a Cypriot company to which the Code Signing Certificate was issued. According to a Reuters report, this certificate appears not to have been stolen from Hermetica Digital. Rather, it is more likely that the attackers posed as the Cypriot company in order to obtain this certificate from DigiCert. ESET Research asked the issuing company DigiCert to revoke the certificate immediately.
Process of cyber attacks on Ukraine
- On February 23, HermeticWiper malware (along with HermeticWizard and HermeticRansom) was deployed against several Ukrainian government agencies and organizations. This cyber attack comes just hours before the start of the Russian invasion of Ukraine.
- HermeticWiper erases itself from disk by overwriting its own file. This procedure is intended to make the analysis of the incident more difficult.
- HermeticWiper is distributed on compromised local area networks by a custom worm we have named HermeticWizard.
- On February 24, a second wave of attacks began targeting a Ukrainian government network, also using a wiper that ESET calls the IsaacWiper.
- On February 25, the attackers released a new version of IsaacWiper with debug logs indicating that they were unable to wipe some of the targeted computers.
- Analysis results indicate that the attacks had been planned for several months.
- ESET security experts have not yet been able to assign these attacks to any hacker group.
About ESET ESET is a European company with headquarters in Bratislava (Slovakia). ESET has been developing award-winning security software since 1987 that has already helped over 100 million users enjoy secure technology. The broad portfolio of security products covers all common platforms and offers companies and consumers worldwide the perfect balance between performance and proactive protection. The company has a global sales network in over 180 countries and branches in Jena, San Diego, Singapore and Buenos Aires. For more information, visit www.eset.de or follow us on LinkedIn, Facebook and Twitter.