New wiper malware used against Ukraine could be used against other targets

Share post:

Infosec leaders should pay attention to two newly-found data wipers used against organizations in Ukraine in case the threat groups behind them turn these weapons against other countries.

The malware have been dubbed HermeticWiper and IsaacWiper by researchers at ESET, which published a report today on the discoveries.

HermeticWiper was executed against multiple Ukrainian organizations on February 23rd, just hours before troops from Russia invaded that country. The next day IsaacWiper, which has different code, was launched against a Ukrainian government network.

ESET can’t attribute these attacks to a known threat actor or threat actors. However, in an interview today Alexis Doras-Joncas, head of ESET’s Montreal research and development office, said that given the fact that these are new pieces of malware aimed at Ukraine, the odds are more likely they came from a Russian or Russian sympathizing threat actor than anyone else.

ESET’s Montreal team is part of the cybersecurity company’s group of researchers who are investigating the two pieces of wiperware.

Doras-Joncas said IT leaders should at least test their current security postures against the indicators of compromise included in the ESET report. “It’s not a silver bullet, but at least it confirms their [cybersecurity] solutions properly protect against that malware.”

In addition, he added, infosec teams need to pay attention to alarms set off by their systems. “Oftentimes in general cyber-attacks, we’ll see ransomware executed in a network and there were signs days or even weeks leading to that event, but nobody paid attention to suspicious activity that the network was compromised.” Then suddenly the ransomware is deployed.

HermeticWiper is actually a family of “Hermetic” malware, which includes HermeticWizard (a worm for spreading HermeticWiper across an internal network) and HermeticRansom (ransomware written in the Go language). HermeticRansom was described last week by researchers at Avast.

Doras-Joncas said it isn’t immediately clear why a ransomware component was created, unless it is to divert attention away from the destructive wiperware eating away at another part of a network.

The Hermetic family gets its name from the use of a code-signing certificate assigned by DigiCert to a company in Cyprus called Hermetica Digital. ESET quotes a report from Reuters that says this certificate was likely obtained by the threat actor tricking DigiCert, as opposed to stealing it.

Acting on a request from ESET, DigiCert revoked the certificate on February 24th.

HermeticWiper has been seen on hundreds of computers in at least five Ukrainian organizations, ESET said, and likely was there long before it was executed on February 24th.

It isn’t known how the five organizations were initially compromised. However, in at least one instance HermeticWiper was deployed through a group policy object via Windows Active Directory. That suggests the threat actor must have had access to that victim’s Active Directory servers.

HermeticWiper uses four drivers from the EaseUS Partition Master for its operations. It disables Windows’ Volume Shadow Copy Service before wiping data, then wipes evidence of itself from disks.

The report says little about IsaacWiper, other than it uses the known Isaac algorithm to encrypt data.

This isn’t the first report on wiper malware used in Ukraine. In January Microsoft issued a report on destructive malware designed to look like ransomware that it calls WhisperGate that hit multiple government, non-profit, and information technology organizations in Ukraine. The two-stage malware overwrites the Master Boot Record (MBR) on victim systems with a ransom note. The ransomware note is a ruse; what’s really going on is the malware destructs MBR and the contents of the files it targets.

Also on Tuesday the U.S. Cybersecurity and Infrastructure Security Agency (CISA) and the FBI issued an updated alert on wiper malware used against Ukraine. It includes recommended mitigations.

The post New wiper malware used against Ukraine could be used against other targets first appeared on IT World Canada.
Howard Solomon
Howard Solomon
Currently a freelance writer, I'm the former editor of and Computing Canada. An IT journalist since 1997, I've written for several of ITWC's sister publications including and Computer Dealer News. Before that I was a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times.

Featured Tech Jobs


Related articles

Cyber Security Today, April 12, 2024 – A warning to Sisense customers, a new tactic for spreading the Raspberry Robin worm, and more

A warning to Sisense customers, a new tactic for spreading the Raspberry Robin worm, and more. Welcome to Cyber Security Today. It’s Friday April 12th, 2024. I’m Howard Solomon. Organizations that use products from business analytics provider Sisense [SI-SENSE] are being told to reset user login credentials and digital keys. The warning comes from the

LinkedIn introduces verification for recruiters to combat scams

LinkedIn announced today the launch of a new verification process for job recruiters, a move aimed at curtailing...

Cyber Security Today, Week in Review for week ending Friday, April 5, 2024

This episode features a discussion on a highly critical report on the hacking of Microsoft Exchange Online email accounts, a case study of a ransomware attack and the discovery of a years-long infiltration of an open source group to insert a backdoor

Become a member

New, Relevant Tech Stories. Our article selection is done by industry professionals. Our writers summarize them to give you the key takeaways