Secureworks® and Sababa Security partner to provide advanced XDR services in Italy, Spain, and Portugal
March 2, 2022
Cyber-attack strikes German oil storage firm
March 22, 2022
Findings from recent cyber-attacks targeting Ukrainian organizations, that shortly preceded Russian military operations in the country, suggest that such attacks have been performed using a destructive disk-wiping malware (Trojan.Killdisk), deployed after attackers gained access to targets’ infrastructure.
The malware has been popularly dubbed as Hermetic Wiper, from its digital signature issued to Hermetica Digital Ltd valid from April 2021 to April 2022.
Hermetic Wiper has so far hit specific targets, such as financial organizations and government contractors in Ukraine, like another famous predecessor NotPetya. In 2017, NotPetya badly hit global transport and logistic giant Maersk, destroying all end-user devices, including 49.000 laptops, 1.000 out of 1.200 applications, 3.500 out of 6.200 servers for an estimated damage between 250 and 300 million dollars.
Although these attacks have not been publicly claimed yet, it is likely that they might be connected with the current political and military situation in Ukraine. This suggests caution for all organizations in Europe as well – from private companies to government agencies –, as they might become a target of wiping attacks.
How HermeticWiper works
The malware itself is a small executable file consisting of four embedded resources that appeared to be copies of drivers, associated with the legitimate program EaseUS Partition Master, and leveraged to interact with storage devices connected to the infected host. The usage of a driver as a disguise provided deeper direct access to the operating system, potentially evading detection and prevention of the destructive actions.
Once executed, the malware identifies all the physical driver connected and partitions (both FAT and NTFS), destroying them, and then reboots the machine to make it unusable. Some copies of the malware have been compiled as early as December 2021, suggesting that its development was ongoing for some months.
Attack preparation stage
Planning is another common phase of the attacks. Findings suggest that threat actors gained access to their victims network long before the actual deployment of the wiper, with activities dating back as early as November 2021 and December 2021. In at least one case, access has been gained through a malicious activity against a Microsoft Exchange Server followed by credential theft, or exploiting a known vulnerability of Microsoft SQL Server (CVE-2021-1636) to escalate privileges in the network.
All exploits were finalized to the execution of PowerShell commands and scripts in the early stage of the intrusion and in preparation of the wiper final deployment. The wiper was deployed as a scheduled task, minutes after the planned script started.
In some attacks, alongside the wiper, a ransomware was deployed as a decoy or distraction from the wiper attack, similarly to earlier WhisperGate attacks against Ukrainian agencies in January 2022. During such attacks, another disk-wiper malware (slightly different from Hermetic Wiper) was associated with a typical ransomware message, without any actual data recovery mechanism in place, to disguise the real purpose of the attack.
How to stay protected
Though HermeticWiper is showing no sign of autonomous replication to hit other target stakeholders (“wormable” capability), it does not mean it or its later variations cannot target other organizations. The attack findings suggest that proper and recurrent Audit Services as well as Detection and Response activities, such as SOC and other Managed Security Services, are vital to properly detect and manage any malicious, deviant or undesired activity within the company network, protecting data and assets, and ensuring business continuity. Given the ongoing international and cyber scenario, also a Disaster Recovery Policy would be more than just a best practice, granting real resilience to any organization.
