Ukraine Hit By Data Wiping Malware, Amid Russian Invasion

Russian President Vladimir Putin overnight demanded the Ukraine military lay down its arms, as a widespread invasion of the country began in the early hours of Thursday morning.

Russian military vehicles have breached the Ukraine border in a number of places, in the north, south and east, including from Belarus, an long-time Russian ally. Explosions have been heard in major Ukraine cities and military targets have been attacked, with multiple casualties reported.

And Ukraine has again suffered a cyberattack, with ESET researchers discovering new data wiper malware used in Ukraine yesterday on hundreds of computers, which they have named HermeticWiper.

Wiper malware

“Breaking. #ESETResearch discovered a new data wiper malware used in Ukraine today,” the ESET researchers tweeted. “ESET telemetry shows that it was installed on hundreds of machines in the country. This follows the DDoS attacks against several Ukrainian websites earlier today.”

Last week Ukrainian government institutions including its Ministry of Defence suffered a DDoS attack.

Bellingcat investigators said the attack on the Ukrainian government websites was linked to Russian GRU hackers.

Now this week ESET telemetry shows that wiper malware was installed on hundreds of machines in the country.

ESET said that it observed the first sample of the malware at around 14h52 UTC / 16h52 local time on 23 February, but the PE compilation timestamp of one of the samples is 2021-12-28, suggesting that the attack might have been in preparation for almost two months.

According to EST, the Wiper binary, which is signed using a code signing certificate issued to Hermetica Digital Ltd, abuses legitimate drivers from the EaseUS Partition Master software in order to corrupt data. As a final step, the wiper reboots the computer, said ESET.

The researchers said that in one of the targeted organisations, the wiper was dropped via the default (domain policy) GPO meaning that attackers had likely taken control of the Active Directory server.

Ongoing attacks

Ukraine has already been repeatedly hit by hackers in the past few weeks as Russia has massed troops around its borders.

Last month the country suffered a massive cyberattack that impacted at least 70 government websites, as well as the US, UK and Swedish embassies.

That Ukraine cyberattack warned the local public to “be afraid and expect the worst”, which Ukraine at the time publicly stated was orchestrated by Russia.

Russia of course has invaded Ukraine previously, when it illegally seized and annexed Crimea from Ukraine in 2014.

Prior to that attack Russia engaged in its usual practice of hybrid or asymmetric warfare, and was accused of launching an assortment of cyberattacks to destabilise communications and spread confusion whilst its troops overran the region.

Russia then continued to launch cyberattacks against Ukraine even after that invasion, including attacks on the power grid and government sites.

In the first nine months of 2021, Ukraine’s SBU security service said it had “neutralised” 1,200 cyberattacks or incidents.

Tom Jowitt

Tom Jowitt is a leading British tech freelancer and long standing contributor to Silicon UK. He is also a bit of a Lord of the Rings nut...

Recent Posts

Apple Security Flaw Being Actively Exploited

Update now. Vulnerability impacts a number of Apple iPhone, iPad and Mac models, and the…

2 hours ago

Yale University Names Firms Still Operating In Russia

Data from Yale University shows a number of big name tech companies continue to trade…

3 hours ago

Police Arrest Four Over BT Cable Theft In North Yorkshire

Police make arrests after Openreach confirms to Silicon UK that a cable theft left 200…

22 hours ago

UK Staff Resisting ‘Big Return’ To The Office, Says infinitSpace

Remote working to stay? Majority of business leaders are struggling to get staff to return…

22 hours ago

Apple Axes 100 Recruiters, Amid Hiring Slowdown – Report

Hiring slowdown at Apple? Tech giant reportedly lets go 100 contract-based recruiters in the past…

23 hours ago