As per ESET, the new data wiper malware has targeted hundreds of computer systems in Ukraine, while in one case the malware infiltrated the Microsoft Active Directory server of the victim’s device.
Ukraine is on the hit list of cybercriminals as two cybersecurity firms, ESET and Symantec Threat Intelligence, having a widespread presence in Ukraine, have reported that the country’s computer networks are targeted with destructive data-wiper malware.
Ukraine’s Systems Under Attack
As per a report from ESET researchers, the new data wiper malware has targeted hundreds of computer systems in Ukraine. It infiltrated the Microsoft Active Directory server of the victim’s device in one case.
The attack was first detected around 16:52, Ukraine time. The malware seems to have been compiled five hours before being deployed in the wild, which indicates that its code and operational infrastructure were probably already set up and ready to be launched.
According to NetBlocks, a watchdog organization that monitors cybersecurity and cyberattacks related events globally also confirmed the attack. In a tweet, the organization said that:
ESET’s analysis suggests that the malware used in the attack is HermeticaWiper, which is generally deployed through Windows group policies. This means that attackers might have obtained complete control of the internal networks of their target.
The company tweeted that the malware abuses authentic drivers from a disk management tool, EaseUS Partition Master software, to corrupt data. You can read more on EaseUS data recovery software in our previous review coverage.
Moreover, the Wiper binary is signed “using a code signing certificate issued to Hermetica Digital Ltd,” ESET researchers explained. After its deployment, the wiper runs the EaseUS disk partition utility, and when the data is corrupted, it reboots the computer.
However, Stairwell’s security researcher Silas Cutler stated that HermeticaWiper can data both local data and the master boot record section of the hard drive, preventing the computer from booting into the OS after the device’s forced reboot. This behavior is similar to WhisperGate malware.
This attack could very well be in the works for two months given the time-stamp data of one of the samples. The Wiper is followed by a Distributed denial of service (DDoS) attack on numerous Ukrainian websites, as reported by Symantec Threat Intelligence.
It is worth noting that on February 16th, 2022, Ukrainian banking and government websites also suffered a series of DDoS attacks. The government of the United Kingdom and the United States blamed Russian for the cyberattacks.
Symantec Threat Intelligence’s Analysis
Symantec Threat Intelligence also noted an increase in malware attacks against Ukrainian computers. The company revealed that the second attack occurred after Russian troops crossed the border and invaded Ukrainian territory.
The country’s president Vladimir Putin referred to this activity as a peacekeeping mission. Crucial details of the attack, including its scale and number of compromised systems, are yet unknown, but Threat Intelligence claims that the attack is currently active.
However, researchers claim this incident marks the second attack against Ukrainian computer systems involving a data wiper. The first such attack occurred in January when WhisperGate malware was distributed masqueraded as a rogue ransomware outbreak, and several Ukrainian government websites were defaced simultaneously.
The second wave of data wiper attacks is followed by an array of DDoS attacks targeting government websites to gain public attention and divert the focus of government IT workers. This time, the targets are mostly government contractors or financial websites, and infections were identified in Ukraine, Lithuania, and Latvia.