Even before Russian tanks began rolling across Ukraine’s borders on February 24, the cyber war on the country had begun. In the days before the kinetic war began, a string of attacks battered Ukrainian government, defense and civil society websites and networks. Among them: massive denial of service attacks and targeted malware attacks.
We’re still very much in the “fog of war,” and cyber attacks are ongoing. But it's not too early to start looking at what we’ve seen and drawing some conclusions. And what we’ve seen so far suggests both that the malware attacks against Ukraine were planned well in advance of the start of the kinetic attacks - and also that the attackers (most likely the Russian government or Russian government linked groups) worked in some haste as they readied new threats to use in the theater of battle.
Here’s what we know so far, based on reports from third parties and intelligence from our own Titanium platform.
Two wipers targeting Ukrainian entities
The threat landscape in Ukraine is fluid, but security firms have detected at least two new malware threats in widespread attacks targeting systems within the country: HermeticWiper and IsaacWiper.
HermeticWiper: Evidence of haste and planning
HermeticWiper (aka Foxblade, aka KillDisk) was first detected on February 23, just hours before the onset of Russian kinetic attacks. The malware was first identified by the anti-malware firm ESET at 14:52 UTC on the 23rd, according to a Twitter message announcing the discovery. Other security firms, including Symantec, soon confirmed the report.
HermeticWiper takes its name from a pilfered “extended validation” (EV) PKI certificate that was used to sign the malicious executable. The stolen digital certificate was fraudulently issued in the name of a legitimate firm: "Hermetica Digital LTD," a small software development firm based in Cyprus.
Using stolen or forged certificates is an increasingly common tactic that we have written about. As we’ve noted, EV certificates - which require more intensive scrutiny to obtain than regular PKI certificates - are valuable to malware authors, who are anxious to have their wares appear to come from legitimate entities.
The theft and re-use of Hermetica’s EV certificate adds to the evidence that this was a planned attack involving forethought and execution well in advance of the deployment of the malware. This is backed up by other data. ESET notes, for example, that the malware executable’s timestamp (when it was compiled) is December 28, 2021, suggesting that planning for distribution of the wiper pre-dated the kinetic attack on Ukraine by almost two months.
Other indicators associated with HermeticWiper also point to a long-term and coordinated campaign. Malwarebytes' analysis of HermeticWiper highlights sophisticated evasion- and data destruction features that required both forethought and planning to realize.
Analysis of the malware points to evidence that target organizations were carefully scoped ahead of the attack. According to ESET research, for example, HermeticWiper was probably delivered within target organizations via default domain policy, in addition to spreading laterally using a worm-like feature dubbed HermeticWizard. Staging the malware via Active Directory servers suggests the actors behind the attacks had targeted organizations well before they acted.
And CyberArk notes in its analysis of HermeticWiper that its deployment requires “privileged admin rights” on compromised hosts to “render it ‘un-bootable’ by overriding the boot records and configurations, erasing device configurations and deleting shadow copies (backups).” The company considers HermeticWiper attacks “highly targeted.”
That said, there is some evidence that the HermeticWiper malware came together under the pressure of time. ReversingLabs analysis revealed that the malware uses four versions of the "EaseUS Partition Master," a legitimate driver signed by a trusted certificate CHENGDU YIWO Tech Development Co., Ltd. It is not unusual for malware to bundle in third party components like this. But use of the Partition Master component suggests shortcuts were taken during development of the HermeticWiper - possibly under pressure of time.
The malware was also deployed alongside malware dubbed HermeticRansom (aka Elections GoRansom), a GoLang-based malware that is believed to be intended to distract victims from the work of HermeticWiper. Analysis of that malware, by Kaspersky and others, also suggest that it was a rush job - a bare bones creation with little evidence that developers took steps to disguise the malware’s function suggesting, as Kaspersky said, that “it was created in a short amount of time.”
IsaacWiper: Less sophistication, smaller distribution
Shortly after the detection of HermeticWiper, a second piece of wiper malware was discovered on systems in Ukraine by researchers at ESET. Dubbed IsaacWiper, the malware was first detected on February 24th, the date of Russia’s invasion of Ukraine.
As with HermeticWiper, the malware executable’s timestamp (October 19, 2021) suggests it was prepared and held well in advance of the onset of hostilities. In fact, IsaacWiper might have been used in previous operations, but not detected, ESET said.
Furthermore, to spread the malware within organizations, attackers used RemCom, a remote access tool, and possibly Impacket, ESET wrote. That suggests that attackers- as with HermeticWiper - first obtained a foothold in target networks and sought to avoid noisy, indiscriminate propagation.
Distribution of this second wiper appears more limited. ReversingLabs data shows that HermeticWiper and IsaacWiper appear distinct from each other and do not share code. IsaacWiper also appears to be less sophisticated in its design than HermeticWiper.For example, unlike HermeticWiper, it does not have a signed executable. Whereas Hermetic used an external driver to write to disks, IsaacWiper uses a cipher to create a random byte string to overwrite the beginning of each disk, ReversingLabs found.
Finally, as ESET noted, more recent versions of IsaacWiper contain debug strings - not suggestive of a “polished” piece of malware and an indication that, perhaps, earlier iterations of IsaacWiper weren’t successful in wiping infected machines. (Debug strings would allow IsaacWiper’s developers to understand what was happening on infected hosts.)
YARA rules help detect Ukraine wipers
While the HermeticWiper and IsaacWiper malware has been observed targeting Ukrainian organizations, organizations outside of Ukraine have reason to be concerned about them, also. As CyberArk noted: there isn’t anything in the HermeticWiper, for example, that would limit the scope of infection - guardrails like default keyboard and user interface language settings, clock time zone, and so on. That means the wipers could easily spread beyond Ukraine’s borders.
To help detect these threats, ReversingLabs has released YARA rules to help organizations monitor these threats in their environment. Use the links provided to view our YARA rules for both forms of the malware:
Questions? Talk to ReversingLabs
ReversingLabs continuously improves its detection mechanisms to keep up to date with malware trends. That includes threats related to ransomware, wipers and other threats.
ReversingLabs' Titanium platform combines Explainable Machine Learning technology with static analysis to reliably identify and extract wipers, malware and other indicators at scale. That allows our customers to detect such threats in their environment quickly and before they allow malicious actors to extend their reach within compromised networks.
Don’t hesitate to contact us if you’d like to learn more about how we help organizations combat threats like malicious wipers and ransomware or to schedule a demonstration.
- Threat Research