Findings from recent cyber-attacks targeting Ukrainian organizations, that shortly preceded Russian military operations in the country, suggest that such attacks have been performed using a destructive disk-wiping malware (Trojan.Killdisk), deployed after attackers gained access to targets’ infrastructure.
The malware has been popularly dubbed as Hermetic Wiper, from its digital signature issued to Hermetica Digital Ltd valid from April 2021 to April 2022.
Hermetic Wiper has so far hit specific targets, such as financial organizations and government contractors in Ukraine, like another famous predecessor NotPetya. In 2017, NotPetya badly hit global transport and logistic giant Maersk, destroying all end-user devices, including 49.000 laptops, 1.000 out of 1.200 applications, 3.500 out of 6.200 servers for an estimated damage between 250 and 300 million dollars.
Although these attacks have not been publicly claimed yet, it is likely that they might be connected with the current political and military situation in Ukraine. This suggests caution for all organizations in Europe as well – from private companies to government agencies –, as they might become a target of wiping attacks.
The malware itself is a small executable file consisting of four embedded resources that appeared to be copies of drivers, associated with the legitimate program EaseUS Partition Master, and leveraged to interact with storage devices connected to the infected host. The usage of a driver as a disguise provided deeper direct access to the operating system, potentially evading detection and prevention of the destructive actions.
Once executed, the malware identifies all the physical driver connected and partitions (both FAT and NTFS), destroying them, and then reboots the machine to make it unusable. Some copies of the malware have been compiled as early as December 2021, suggesting that its development was ongoing for some months.
Planning is another common phase of the attacks. Findings suggest that threat actors gained access to their victims network long before the actual deployment of the wiper, with activities dating back as early as November 2021 and December 2021. In at least one case, access has been gained through a malicious activity against a Microsoft Exchange Server followed by credential theft, or exploiting a known vulnerability of Microsoft SQL Server (CVE-2021-1636) to escalate privileges in the network.
All exploits were finalized to the execution of PowerShell commands and scripts in the early stage of the intrusion and in preparation of the wiper final deployment. The wiper was deployed as a scheduled task, minutes after the planned script started.
In some attacks, alongside the wiper, a ransomware was deployed as a decoy or distraction from the wiper attack, similarly to earlier WhisperGate attacks against Ukrainian agencies in January 2022. During such attacks, another disk-wiper malware (slightly different from Hermetic Wiper) was associated with a typical ransomware message, without any actual data recovery mechanism in place, to disguise the real purpose of the attack.
Though HermeticWiper is showing no sign of autonomous replication to hit other target stakeholders (“wormable” capability), it does not mean it or its later variations cannot target other organizations. The attack findings suggest that proper and recurrent Audit Services as well as Detection and Response activities, such as SOC and other Managed Security Services, are vital to properly detect and manage any malicious, deviant or undesired activity within the company network, protecting data and assets, and ensuring business continuity. Given the ongoing international and cyber scenario, also a Disaster Recovery Policy would be more than just a best practice, granting real resilience to any organization.
|_ga||2 years||The _ga cookie, installed by Google Analytics, calculates visitor, session and campaign data and also keeps track of site usage for the site's analytics report. The cookie stores information anonymously and assigns a randomly generated number to recognize unique visitors.|
|_gat_gtag_UA_150416163_1||1 minute||Set by Google to distinguish users.|
|_gid||1 day||Installed by Google Analytics, _gid cookie stores information on how visitors use a website, while also creating an analytics report of the website's performance. Some of the data that are collected include the number of visitors, their source, and the pages they visit anonymously.|
|pardot||past||The pardot cookie is set while the visitor is logged in as a Pardot user. The cookie indicates an active session and is not used for tracking.|
|visitor_id909942-hash||10 years||No description|
|lpv909942||30 minutes||No description|
|visitor_id909942||10 years||No description|