A new wiper malware sample was found installed on hundreds of computers, impacting a number of organizations in Ukraine, said researchers. The discovery of the wiper attacks preceded Russia’s military invasion of Ukraine, launched on Thursday.
While the full scale of the cyberattacks and their impact is unknown, the new form of disk-wiping malware was leveraged to attack organizations in Ukraine, including ones in the financial, defense, aviation and IT services sectors. The wiper, which researchers called HermeticWiper, was deployed on Wednesday, hours after a number of distributed denial-of-service (DDoS) attacks pushed websites of banks and government agencies in Ukraine offline.
“With an invasion now underway, there remains a high likelihood of further cyber attacks against Ukraine and other countries in the region,” said researchers with Symantec in a Thursday analysis.
Further analysis of the samples indicated that preparation for the wiper attacks may have been underway for months before the incident itself, with malicious activity potentially starting as early as November 2021 for some victims. For one victim, the attackers appeared to have gained initial access to the network on Dec. 23, 2021, through malicious SMB activity against a Microsoft Exchange server, which then was followed by credential theft and the installation of a webshell over the following weeks, according to Symantec researchers. Jean-Ian Boutin, head of threat research with ESET, said on Thursday afternoon that based on their telemetry, the attacks are no longer ongoing.
The wiper malware targets the Master Boot Record (MBR) of the infected computer, leaving it inoperable. Juan Andres Guerrero-Saade, principal threat researcher with SentinelLabs, said in a Thursday analysis that the wiper appears to be a custom-written application with “very few standard functions.”
“Malware, by its nature, aims to go undetected - but with a wiper operation, it is precisely about creating havok and making the victim notice that you have access."
“The developers are using a tried and tested technique of wiper malware, abusing a benign partition management driver, in order to carry out the more damaging components of their attacks,” said Guerrero-Saade. “Both the Lazarus Group (Destover) and APT33 (Shamoon) took advantage of Eldos Rawdisk in order to get direct userland access to the filesystem without calling Windows APIs. HermeticWiper uses a similar technique by abusing a different driver, empntdrv.sys.”
Researchers also observed what appeared to be ransomware being deployed against the affected organizations at the same time as HermeticWiper, which they said is likely used as a decoy or distraction from the wiper attacks. This use of ransomware as a front for a more destructive wiper attack is reminiscent of another wiper malware that previously targeted Ukrainian organizations and government agencies in January called WhisperGate, as well as the 2017 NotPetya attacks in Ukraine. The WhisperGate malware attacks came in conjunction with a number of cyberattacks against Ukrainian organizations in January, including one that led to several government websites being defaced.
At the same time, the U.S. government in January warned U.S. companies to be aware of Russian cyberattacks that are aimed at disabling or destroying critical infrastructure, such as power and communications. In recent guidance for U.S. companies, the Cybersecurity & Infrastructure Security Agency (CISA) outlined several steps that organizations can take to reduce the likelihood of a damaging cyber incident, including setting up measures for detection and ensuring that organizations are prepared if an intrusion occurs. That is especially true as wiper malware has been found deployed beyond Ukraine this week: Symantec researchers said they also found evidence of wiper attacks against an organization in Lithuania, for instance.
Guerrero-Saade said that at a broader level, the attackers behind the wiper malware are looking to make a statement and create chaos in whatever environments they already have access to.
“Generally when we talk about wiper malware, it is meant mostly as a signaling tool,” said Guerrero-Saade. “Malware, by its nature, aims to go undetected - but with a wiper operation, it is precisely about creating havok and making the victim notice that you have access. It’s important to keep that in mind when you look at any wiper.”