The country of Ukraine seems to be struggling to catch a break. Amid the escalating tensions with Russia, the nation is caught in the mayhem of a string of cyberattacks. Alarms blared off at Microsoft’s Threat Intelligence Center on February 23, hours before Russian tanks started marching into Ukraine, warning of a never-before-seen piece of “wiper” malware aimed at the country’s government departments and financial institutions. While it was the first sighting of wiper attacks, last month was plagued with multiple cyberattacks on Ukraine.
For instance, Ukraine was also targeted by a distributed denial-of-service (DDoS) assault on that day, which caused multiple governments and business websites to fail, according to the BBC. Earlier on February 15, around 70 Ukrainian government websites, as well as the country’s defense and armed forces networks, were targeted by identical DDoS attacks, which the US and UK blamed on Russian hacker organizations. The victims of the DDoS carnage were the websites of Ukraine’s Ministry of Foreign Affairs, Ministry of Defense, Ministry of Internal Affairs, the Security Service of Ukraine, Cabinet of Ministers, and Ukraine’s largest commercial bank, Privatbank. This is not the first time, Ukraine was a fertile ground for Russia’s nefarious cyberattacks. In 2017, Russia used Ukrainian accounting software to distribute the notorious NotPetya (another wiper malware), which swiftly spread throughout the world, causing billions of dollars in damage and disruption to businesses.
As the latest wiper attacks took place, Threat Intelligence Center, which is located north of Seattle, sprung into action and alerted Ukraine’s main cyber defense body about the malware which was initially dubbed as “FoxBlade”. Microsoft’s virus detection systems were upgraded in the next three hours to stop the FoxBlade, which erases or “wipes” data on machines on a network. On March 2, Microsoft announced that the group behind the wiper cyberattacks (now dubbed as HermeticWiper), still pose threat to cybersecurity systems worldwide. The name “Hermetic” is most likely taken from Hermetica Digital Ltd, the firm whose false code signing certificate was used by the malware. Software developers use code-signing certificates to digitally sign apps, drivers, executables, and software programs to ensure that the code they receive has not been tampered with or corrupted by a third party.
Furthermore, the Microsoft Threat Intelligence Center is tracking the threat actors behind this attack as DEV-0665, although it hasn’t linked them to a previous set of attackers.
According to ESET, a Slovakian cybersecurity firm, on February 23 it discovered the data-wiper malware HermeticWiper on hundreds of PCs in Ukraine. ESET also detected a massive attack by another wiper called IsaacWiper (also called Lasainraw) on February 24, and a new version of malware with debug logs on February 25. Legal institutions such as the FBI and the Federal Cybersecurity and Infrastructure Security Agency (CISA) issued a warning to neighboring nations due to the rise of wiper cyberattacks such as HermeticWiper. As the political hostility continues, it is thought that the wiper malware that struck Ukraine has the ability to harm government agencies in other European nations.
As per ESET, the wiper’s timestamp shows that it was compiled on December 28, 2021, implying it was being planned for some time. HermeticWiper exploited genuine disk management software drivers like the EaseUS Partition Master software. The virus includes 32-bit and 64-bit driver files compressed using the Lempel-Ziv algorithm, which is a standard data compression method. When executed, the wiper corrupts the infected computer’s Master Boot Record (MBR), leaving it useless. It can also attack a system’s data recovery tools and a hard drive’s rebooting system, making it impossible for the device to boot into its operating system, therefore rendering it useless. This malware could potentially get complete control of its target’s internal networks, exposing a variety of applications. According to ESET, the wiper was deployed into one of the targeted organizations’ systems via the default Group Policy Object (GPO), allowing it to access the primary server and disseminate the malware to other devices and programs.
A modified worm known as HermeticWizard distributes the virus inside infiltrated local networks. ESET has also discovered HermeticRansom, which is operating as decoy ransomware to divert attention away from the disk-wiper HermeticWiper.
However, aside from its damaging traits, the wiper does not appear to have any other functions. Experts are already drawing parallels of Hermetic Wiper with the WhisperGate malware that Microsoft discovered in numerous Ukrainian PCs in mid-January this year.
Meanwhile, according to Israeli cybersecurity firm Check Point Software, cyberattacks against Ukrainian government sites and the military sector climbed by 196% in the first three days of Russia’s invasion on the 44 million-strong population country, while attacks on Russian companies grew by only 4%.
Kyiv has called on worldwide hacktivists and cyber professionals to join its international “IT army” to repel any Russian cyberattacks. Mykhailo Fedorov, Ukraine’s Minister of Digital Transformation and Vice Prime Minister, set up a Telegram room and posted the URL to the forum, inviting “digital talents” to participate. He claimed that those who join up will be assigned “operational tasks,” that will be revealed on Telegram..
As of Monday evening, this IT army Telegram channel had over 240,000 subscribers. The channel has published a list of Russian targets that members are encouraged to try to infiltrate via cyber vectors (attacks such as malware or ransomware) or denial-of-service assaults. The target includes Russian government websites, APIs, bank websites, and important government corporations. Even before the Russian invasion, the European Union began deploying a cyber rapid-response team (CRRT) throughout Europe on February 22 in response to a plea for assistance from Ukraine, comprising of cyber professionals from six countries: Lithuania, Croatia, Poland, Estonia, Romania, and the Netherlands.