Since the Russian invasion into the Ukraine began, cyber warfare between the two countries has escalated with more and more campaigns, malware strains, and attacks having been observed against a variety of Ukrainian government organizations.
This post covers the latest updates in the cyber warfare between the two countries.
Timeline of Important Cyber Events in Russian-Ukrainian Cyber Warfare
This new unattributed wiper was used in an attack against a Ukrainian government network just before Russia sent troops into the Ukraine, while a new version of it was observed in attacks the very next day. (Read more here.)
Of note is the fact that IsaacWiper was used in attacks against a network that was unaffected by HermeticWiper. Additionally, it’s suggested that attackers are finding ways to move laterally between networks, to further spread the malware.
It is currently unclear whether the two wipers are linked, as IsaacWiper is a far less sophisticated piece of malware (see WeLiveSecurity’s article).
Researchers indicate that while the method through which IssacWiper is delivered to victims is currently unknown, RemCom – a remote access tool – had been deployed at the same time as IsaacWiper attacks. They also mention that Impacket is possibly being used to move within the afflicted network, according to ESET. Thus, it is suspected that attackers utilizing IsaacWiper managed to infiltrate the target networks some time before the attacks took place.
Researchers spotted a new worm named HermeticWizard used to drop HermeticWiper with the help of WMI and SMB spreader modules. This was detected alongside the discovery of a Golang ransomware named HermeticRansom (also known as Elections Go Ransom and PartyTicket).(Read more on BleepingComputer here.)
The new ransomware was likely used as a smokescreen for the HermeticWiper attack due to its non-sophisticated style and poor implementation and was used to target assets on the same day HermeticWiper was distributed.
Researchers note that the HermeticRansom malware does not use any kind of obfuscation and has straightforward functionality, suggesting it was created in a short amount of time.
HermeticRansom ransom note
Researchers are moderately confident that the HermeticRansom malware is linked to HermeticWiper’s primary objectives – destroying or otherwise making Windows systems unusable due to data loss – given the circumstances under which it appeared.
Researchers mentioned that Ukrainian networks and infrastructure was seen being targeted by a recently discovered malware mere hours prior the Russian invasion began, according to Microsoft.
While several researchers have noted that FoxBlade and HermeticWiper are one and the same, there seems to be discourse within the cybersecurity community regarding this issue. One primary difference between the two pieces of malware that seems to contribute to the confusion surrounding this matter is the fact that HermeticWiper was not observed to have DoS capabilities, while FoxBlade can deliver such an attack.
Interested in learning more about protecting your organization from cyber attack? Contact us!