New Russia-Linked Malware HermeticWiper Targets Ukraine
A new cyber threat, HermeticWiper, emerged in February 2022, coinciding with the start of the Russia-Ukraine conflict. This malware targets Ukrainian systems, destroying data and rendering computers unusable. Security researchers and Western authorities have attributed the attack to Russia with high confidence.
The HermeticWiper attack began on February 23, 2022, just before Russia invaded Ukraine. It targeted Ukrainian government bodies, businesses, and critical infrastructure. HermeticWiper is a type of malware known as a 'wiper', designed to destroy data on infected computers. The malware spreads through a software distribution network used in Ukraine, indicating a deep understanding of the country's IT ecosystem. HermeticWiper uses a code-signing certificate issued to a small videogame design business in Cyprus, with no known links to Russia. The malware's primary goal is to destroy the master boot record (MBR) of a system, making it unusable. It also disables memory dumps by changing the CrashDumpEnabled registry key value to 0. HermeticWiper attacks are often preceded by exploits or distributed denial-of-service attacks to aid its deployment. The malware itself is small, just 115kbs, and comes packed with drivers that are extracted depending on the operating system. It gains sensitive privileges during execution, such as SeBackupPrivilege, SeDebugPrivilege, and SeLoadDriverPrivilege.
Hundreds of Ukrainian websites related to the local government have been attacked by HermeticWiper. The Ukrainian government has been a specific target. While HermeticWiper uses a code-signing certificate from a Cypriot company, security experts and Western authorities believe Russia is behind the attack. The malware's destructive nature, targeting of Ukrainian systems, and the timing of the attack all point to Russian involvement. However, direct, publicly available evidence is often scarce in cyber attacks, and attributing blame remains complex.
