Second Wiper Attack Strikes Systems in Ukraine and Two Neighboring Countries
The wiper, dubbed HermeticWiper, struck a bank in Ukraine as well as machines in Latvia and Lithuania belonging to two contractors that work with the Ukrainian government.
For the second time in two months, a destructive wiper attack struck computer systems in Ukraine as well as in two neighboring countries, according to researchers at two security companies who discovered the wiper Wednesday afternoon as it infected the machines.
ESET, a security firm based in Slovakia that was the first to report the malware, indicated that it found the wiper on “hundreds of machines” in Ukraine, but didn’t identify the victims or specify how many companies or organizations this involved.
Symantec, a division of U.S.-based Broadcom Software, reported that it had found the wiper malware on about 50 systems belonging to a bank in Ukraine as well as on systems belonging to two different contractors that do work for the Ukrainian government, according to Vikram Thakur, technical director of Symantec's threat intelligence team. Symantec later published a blog post about the attack and revealed it had found additional victims in the defense, aviation, and IT services sectors.
One contractor has offices in Ukraine and Latvia, the other has offices in Ukraine and Lithuania, according to Thakur, who added that they found infections only on the contractors’ machines in Latvia and Lithuania and didn’t find any infections on the companies’ machines in Ukraine.
“This looks extremely targeted,” Thakur told Zero Day. “This is not going after all Ukrainian organizations, but ones that do specific roles that support the Ukrainian government. So the actors don’t care where the organizations physically are located.”
He declined to identify what kind of work the contractors do and says it’s too early to say whether the attackers siphoned data from the systems before wiping them.
The wiper, dubbed HermeticWiper, appears to have been in the works for months but was only released on computers today. It follows on a previous wiper attack that struck Ukrainian systems in January called WhisperGate. Like that previous infection, HermeticWiper is designed to overwrite files on systems to render them inoperable.
But Juan Andrés Guerrero-Saade, principal threat researcher at SentinelOne, whose team also examined the malware, said HermeticWiper is a much better and more efficient wiper than WhisperGate was and appears to have been more carefully crafted, suggesting that two different teams may have developed the wiper programs.
“I was kind of surprised WhisperGate worked,” he told Zero Day, based on how it was written. “In comparison [HermeticWiper] is reminiscent of Destover and Shamoon.” Destover is a wiper that was launched by North Korea against Sony Pictures in 2014, wiping systems across the company simultaneously while Shamoon is a wiper attributed to Iran that struck Saudi Aramco in 2012, wiping data from more than 30,000 machines.
How HermeticWiper Works
According to analysis conducted by ESET and Symantec, the attackers may have pushed the wiper to systems from inside victim networks. The malware appears to have been loaded onto systems in some cases through what’s known as a Windows Group Policy — a feature that lets network administrators perform actions simultaneously across multiple systems inside a network, such as configure machines or install software.
This means the attackers already had a foothold inside the target networks and may have used stolen administrator credentials to use the Group Policy feature to push the HermeticWiper to systems.
The wiper files were signed with a legitimate digital certificate belonging to a company named Hermetica Digital LTD, based in Cyprus.
Digital certificates are used to sign software to authenticate them to computers as legitimate code from the company that signs them. But hackers can steal digital certificates from legitimate companies to sign their malicious code or create fake shell companies in order to get certificate authorities to issue them a legitimate certificate under false pretenses. They sign their malicious code with these certificates to bypass antivirus software by making their rogue code look like code from a legitimate company.
Hermetica Digital appears to have been set up only last March and doesn’t have a web site, which raises the possibility that the company was created for the purpose of obtaining a certificate, says Guerrero-Saade.
“We don’t see any other software signed with that digital certificate,” he says. “If the only thing that’s signed is that wiper, then I’m suspicious whether that company is real.”
Zero Day was unable to reach anyone at the company for comment.
Once the HermeticWiper lands on systems, it immediately begins the work of wiping files and destroying the Master Boot Record, the part of the computer responsible for launching the operating system when a machine is booted. According to Silas Cutler, a security researcher with Stairwell, the wiper begins its dirty work within 15 seconds.
This is different than the WhisperGate wiper from January. That malware masqueraded as a fake ransomware attack and worked in three stages. Once the hackers loaded WhisperGate onto a system, it would overwrite the Master Boot Record with a fake ransomware note demanding Bitcoin worth $10,000.
“Your hard drive has been corrupted,” the note read. “In case you want to recover all hard drives of your organization, You should pay us $10k via bitcoin wallet. We will contact you to give further instructions."
At the same time, the malware reached out to a Discord channel and pulled down another malicious component. The attackers would then force the computer to power down, which caused that second malicious component to wipe important system files on the machine. When the machine booted back up, the user would see the ransomware message displayed on their screen, making them think they could get access to their files restored if they paid the ransom, when in fact their system had already been rendered inoperable and unrecoverable by the wiper. [Update: Symantec in its new report indicates that HermeticWiper also used a fake ransom note.]
Guerrero-Saade says the HermeticWiper is better than WhisperGate in that it’s very thorough and systematic in the way it operates. Hackers generally want to overwrite the Master Boot Record in the quickest and easiest way to bring a system down. If they overwrite additional files, their malware will generally overwrite just enough data in each file to wipe it so it can move on quickly to the next file and do the same.
But HermeticWiper he says uses “multiple redundant ways of trashing the file system” and makes sure to wipe each drive on a system.
“That is way more thorough than anything we saw with WhisperGate,” he says. “Somebody took their time preparing this thing before they fired it off.”
He also says the code’s thoroughness makes him speculate that it may have served a different purpose than just rendering systems inoperable — it may have been designed in part to erase evidence of the hackers’ activity on the systems before they wiped them. As noted before, the use of Windows Global Policy to distribute their wiper indicates they had a foothold inside the networks for a while before wiping the systems. This potentially bolsters the idea that the wiper was intended to erase what they did inside infected systems before wiping them. [Update: Symantec revealed in its new blog post that one of the victim’s networks had been compromised on December 23rd and another on November 12th, giving them several months of access to systems before they wiped them.]
Although ESET and Symantec detected the malware landing on systems at around the same time on Wednesday afternoon, suggesting a coordinated operation — ESET says it detected the malware at around 4:52 pm local time; Thakur says Symantec detected it around 4:48 pm local time — the wiper had already been prepared months earlier.
A version of the wiper ESET examined had been compiled December 28 last year. But researchers with MalwareHunterTeam said another version appeared to have been compiled on Wednesday, just five hours before it infected machines. A file is compiled when the source code written in a programming language that humans can read is turned into binary code that machines read.
The new cyberattack came hours before Russian President Vladimir Putin declared war on Ukraine.
The same day the wiper was deployed, a DDoS campaign was launched against web sites belonging to several government agencies and banks in Ukraine.
Ukraine as well as the U.S. and allies have been warning for months about a potential escalation in cyberattacks from Russia to accompany hostilities on the ground. Ukraine did not attribute Wednesday’s wiper infections to Russia, though it attributed the wiper attack in January, as well as DDoS campaigns and website defacements, to its eastern adversary.
Updated 7:45pm PST: To indicate that Russia had declared war on Ukraine.
Updated 2.24.22: To add new information from Symantec’s analysis of the attack.
If you like this story, feel free to share with others.
If you’d like to receive future articles directly to your email in-box, you can also subscribe: