UPDATE: April 29, 2022: The Cybersecurity and Information Security Agency on Thursday updated an advisory on destructive malware deployed earlier this year in connection with the Ukraine invasion. CISA released additional indicators of compromise on WhisperGate and technical details on HermeticWiper, HermeticWizard, IsaacWiper and CaddyWiper.
Dive Brief:
- The release of new malware strains in Ukraine last week coincided with the start of Russia military attacks, security researchers at ESET and Microsoft found.
- Following the launch of HermeticWiper on Feb. 23, a second attack was launched against Ukrainian government systems on Feb. 24 from a wiper called IsaacWiper, ESET researchers said. A new version of IsaacWiper, containing debug logs, was dropped on Feb. 25, a move that could signal the original wiper failed to erase data of the targeted systems, ESET researchers said.
- Microsoft researchers on Feb. 24 detected a round of cyberattacks targeting Ukraine’s digital infrastructure hours before the launch of missile attacks against the country, according to a blogpost from Brad Smith, vice chair and president of Microsoft.
Dive Insight:
Smith said the attacks included a package of malware that it calls FoxBlade. Microsoft has provided threat intelligence and defensive advice to officials about the attacks, which targeted Ukrainian military, local manufacturers and several government agencies, he said.
Anne Neuberger, White House deputy national security advisor for cyber- and emerging technologies, asked Microsoft to share details of the code with the Baltics, Poland and other European nations, and made introductions, according to the New York Times.
It is not immediately known whether FoxBlade is part of the same malware detected by ESET or a separate strain.
Smith said the new malware found in Ukraine has been precisely targeted. Researchers have not found the malware spread across the nation’s economy or to other targets outside its borders, which is what happened during the 2017 NotPetya attacks.
Microsoft remains concerned about cyberattacks against civilian targets in Ukraine, including finance, agriculture, emergency response, humanitarian aid and energy. The attacks raise concerns under the Geneva Convention and Microsoft has shared information about each of the attacks with the Ukrainian government, according to Smith.
The company also told Ukraine about recent attempts to steal personally identifiable information related to healthcare, insurance and transportation.
Wiper details
ESET researchers have identified three components to the Hermetic Wiper attacks:
- HermeticWiper was used to wipe the data
- HermeticWizard was used to spread the attack on local networks
- HermeticRansom acted as a decoy ransomware
Researchers said HermeticWizard contained a worm component that was used to spread the wiper into a separate compromised network.
Researchers have not been able to directly attribute IsaacWiper to any particular threat actor.
“Although the end result is the same, HermeticWiper and IsaacWiper do not share code similarity,” Jean-Ian Boutin, ESET head of threat research, said via email. “In fact, Hermetic wiper is more sophisticated than IsaacWiper. We are treating them as independent campaigns that could have been perpetrated by two different threat actors.”
