Ukraine Hit By Data Wiping Malware, Amid Russian Invasion

Ukraine - Shutterstock - © Mykhaylo Palinchak

As Russian forces launch a military assault and bomb key targets in Ukraine, data wiper malware hits the beleaguered country

Russian President Vladimir Putin overnight demanded the Ukraine military lay down its arms, as a widespread invasion of the country began in the early hours of Thursday morning.

Russian military vehicles have breached the Ukraine border in a number of places, in the north, south and east, including from Belarus, an long-time Russian ally. Explosions have been heard in major Ukraine cities and military targets have been attacked, with multiple casualties reported.

And Ukraine has again suffered a cyberattack, with ESET researchers discovering new data wiper malware used in Ukraine yesterday on hundreds of computers, which they have named HermeticWiper.


Wiper malware

“Breaking. #ESETResearch discovered a new data wiper malware used in Ukraine today,” the ESET researchers tweeted. “ESET telemetry shows that it was installed on hundreds of machines in the country. This follows the DDoS attacks against several Ukrainian websites earlier today.”

Last week Ukrainian government institutions including its Ministry of Defence suffered a DDoS attack.

Bellingcat investigators said the attack on the Ukrainian government websites was linked to Russian GRU hackers.

Now this week ESET telemetry shows that wiper malware was installed on hundreds of machines in the country.

ESET said that it observed the first sample of the malware at around 14h52 UTC / 16h52 local time on 23 February, but the PE compilation timestamp of one of the samples is 2021-12-28, suggesting that the attack might have been in preparation for almost two months.

According to EST, the Wiper binary, which is signed using a code signing certificate issued to Hermetica Digital Ltd, abuses legitimate drivers from the EaseUS Partition Master software in order to corrupt data. As a final step, the wiper reboots the computer, said ESET.

The researchers said that in one of the targeted organisations, the wiper was dropped via the default (domain policy) GPO meaning that attackers had likely taken control of the Active Directory server.

Ongoing attacks

Ukraine has already been repeatedly hit by hackers in the past few weeks as Russia has massed troops around its borders.

Last month the country suffered a massive cyberattack that impacted at least 70 government websites, as well as the US, UK and Swedish embassies.

That Ukraine cyberattack warned the local public to “be afraid and expect the worst”, which Ukraine at the time publicly stated was orchestrated by Russia.

Russia of course has invaded Ukraine previously, when it illegally seized and annexed Crimea from Ukraine in 2014.

Prior to that attack Russia engaged in its usual practice of hybrid or asymmetric warfare, and was accused of launching an assortment of cyberattacks to destabilise communications and spread confusion whilst its troops overran the region.

Russia then continued to launch cyberattacks against Ukraine even after that invasion, including attacks on the power grid and government sites.

In the first nine months of 2021, Ukraine’s SBU security service said it had “neutralised” 1,200 cyberattacks or incidents.