The disk-wiping malware that tore through at least hundreds of Ukrainian Windows systems at the start of Russia’s occupation wasn’t alone. Slovakian infosec firm ESET has found a second similar strain in Ukraine.
“Malware artefacts suggest that the attacks had been planned for several months,” said the biz. Last week, as the Russian armed forces invaded Ukraine, ESET published details of one wiper – malware that destroys data on whatever computer or device it has infected.
Threat research chief Jean-Ian Boutin added in a statement today that ESET had uncovered a similar Windows software nasty which it nicknamed IsaacWiper, which was first observed the day of the Russian invasion on February 24.
The initial strain, code-named HermeticWiper by ESET, has a Portable Executable (PE) compilation date of December 28, 2021 – which aligns with Russia preparing the cyber part of its attack on Ukraine months in advance. This also gels with military mobilizations from late last year, including the transit of Russian amphibious assault ships from northern Russia into the Black Sea via north-west Europe.
“With regard to IsaacWiper, we are currently assessing its links, if any, with HermeticWiper,” continued ESET. “It is important to note that it was seen in a Ukrainian governmental organization that was not affected by HermeticWiper.”
The firm added that IsaacWiper’s PE compilation timestamp of October 19, 2021 suggested it might have been used in other attacks before Russia’s Ukraine invasion. While IsaacWiper is not code-signed, HermeticWiper was signed with a certificate in the name of a Cypriot company, Hermetica Digital, apparently fraudulently obtained from DigiCert.
A different breed
Once deployed, HermeticWiper allows its operators to move laterally through a target’s network before overwriting the whole of a host disk. ESET said they had seen a Windows Active Directory server compromised and a custom worm used to spread the wiper from there.
IsaacWiper, in contrast, appears to use “remote shell/telnet replacement” utility RemCom (whose use in the malware context is explained here) and SecureAuth’s Impacket Python tools, as published on GitHub.
“ESET Research has not yet attributed these attacks to a known threat actor due to the lack of any significant code similarity with other samples in the ESET malware collection,” concluded the security shop.
Reports are reaching channels in the West about Russian and Belarusian cyber attacks on Ukraine, but they are of a much lower volume than many had expected. Some have speculated that this may change as Russia’s war continues to go badly.
Rumors in the media hint that significant numbers of Russian soldiers are deserting and abandoning their vehicles, that the Ukrainian Air Force – contrary to all expectations – is still able to fly and fight. The resistance from the Ukrainian population appears to be also proving surprisingly effective in the face of a nominal superpower.
However, if President Putin changes his mind from waging a war of occupation against Ukraine to a war of destruction, we may no longer be reading about wiper malware samples. Instead we may see widespread blackouts, outages, or the complete devastation of Ukrainian cities. ®
Speaking of the invasion… Amid fresh sanctions against Russia, Apple has stopped all sales of its products in the nation. The iGiant added in a statement: “Apple Pay and other services have been limited. RT News and Sputnik News are no longer available for download from the App Store outside Russia. And we have disabled both traffic and live incidents in Apple Maps in Ukraine as a safety and precautionary measure for Ukrainian citizens.”
Meanwhile, Visa and Mastercard, which handle the vast majority of debit and credit card payments outside of China, have blocked various Russian banks from using their networks, as a result of US sanctions.