Skip links

‘Hundreds of computers’ in Ukraine hit with wiper malware

Hundreds of computers in Ukraine have been infected with data-wiping Windows malware, say researchers at ESET.

In a series of tweets on Wednesday, the infosec biz said it picked up its first sample of the software nasty at about 1500 UTC, and believes the code has been in the works for the past two months.

“ESET telemetry shows that it was installed on hundreds of machines in the country,” the biz stated.

We’re told the data wiper is cryptographically signed with a legit, and presumably stolen, developer certificate to persuade antivirus tools and users to trust it. The malware uses drivers from a partitioning program to corrupt storage devices and destroy files on infected systems, according to ESET.

It’s not entirely clear right now how the malware is dropped onto victims’ machines and run, though in one case, said ESET, an organization’s Active Directory server was probably compromised to distribute the wiper through the network via a group policy object.

Symantec’s threat intelligence wing also said it had spotted data-trashing malware in Ukraine; the Broadcom-owned biz added it had seen infections in Latvia and Lithuania also.

ESET dubbed the nasty Win32/KillDisk.NCV. It’s understood the code not only wipes files from the drive, it also nukes the MBR, making booting and recovery difficult or impossible thereafter.

This comes as various Ukrainian websites were disrupted to varying degrees by denial-of-service attacks, and Britain’s National Cyber Security Centre warned of a new Kremlin-linked strain of malware that appears to be separate to the wiper ESET and Symantec uncovered.

And the wider context of this is Russia this week invading an area of eastern Ukraine, ostensibly on a peacekeeping mission to protect two separatist regions of Ukraine. That move triggered fresh US sanctions against Moscow.

Uncle Sam has warned American businesses and organizations to prepare for cyber-attacks from Russia in retaliation for these sanctions and the White House’s opposition to Russian President Vladimir Putin’s intrusion into Ukraine.

It is feared a full invasion will now follow, as Russia has been amassing troops near Ukraine’s border. Ukraine’s websites and systems have been targeted and disrupted by miscreants for the past few weeks amid a build up in tensions and breakdown in diplomacy.

A spokesperson for the Consulate General of Ukraine in San Francisco was not available for immediate comment. The entire web presence of the nation’s Ministry of Foreign Affairs is offline from a cyber-attack, it appears, we note. ®