Russia’s invasion of Ukraine is not only bound to military operations. Several reports have shown how malware has been deployed to target government organisations in Ukraine, gaining illegal control over their systems, destroying them and making them inoperable. It cannot be confirmed if these attacks were originated in Russia, but several research reports suggest that these attacks are state-backed cyber attacks. The latest is CaddyWiper. We take a look at how malware has been used in this conflict.
January 15, 2022: This was the first time when Microsoft Threat Intelligence Center (MSTIC) revealed that a malware, known as WhisperGate, was being used to target organisations in Ukraine.
February 23, 2022: Cybersecurity researchers from SentinelLabs disclosed that another set of malware known as HermeticWiper was being used against organisations in Ukraine. The malware mainly targets Windows devices, resulting in boot failure of victim’s devices. (more about it later).
February 24, 2022: IsaacWiper malware was deployed in Ukraine said, a timeline shared by ESET researchers. That also suggested that the malware attacks could have been strategically planned as they had reportedly been in development months before their release.
March 7, 2022: Cyber-attack campaign targeting Ukrainian government agencies with MicroBackdoor malware was confirmed by Ukraine’s Computer Emergency Response Team (CERT-UA). In a statement released CERT-UA confirmed that government organisations have been the target of several malicious attacks.
March 14, 2022: A new destructive malware was discovered in Ukraine called as CaddyWiper. It was discovered by security researchers from ESET, a Slovakia-based cybersecurity firm.
WhisperGate: It is a boot record wiper malware used to destroy victim’s Master Boot Records or MBR. MBR is an address which contains whereabouts of the Operating System (OS) so that when you boot (switch-on) your device the computer could identify your OS, and initiate the booting process.
The malware is engineered in such a way that it essentially changes the MBR records so when you boot your system, the system does not identify any OS files, so it fails to start, locking you out of your system forever. It should be noted that WhisperGate is a new malware family.
According to Microsoft’s Threat Intelligence report, it is being used in an ongoing operation targeting multiple industries in Ukraine, including government, non-profit, and information technology organisations. The malware is so strong that it wipes and corrupts a Windows system to the point where files and drives are no longer recoverable or usable. Details around the motive for WhisperGate and the threat actor behind the attacks are still emerging.
Hermetic Wiper: Researchers at ESET discovered the ‘data-wiper’ malware first, saying that it was detected on hundreds of computers in Ukraine. Hermetic Wiper when downloaded either through a malicious link or an attachment can completely as the name suggests ‘wipe’ out all the data on the victim’s device, in a manner that it becomes impossible to retrieve any information available on the computer. It is posed as one of the most intelligent malware because it is fully capable of even attacking any data recovery tools available on the system.
What makes Hermetic more dangerous is the fact that it can be transmitted to multiple computers linked on one server. ESET explains that while the malware might look like a ransomware demanding ‘ransom’ for unlocking all the data but in reality, it does not have a ‘pay for your data’ or any ransom recovery mechanism.
The term “Hermetic” is derived from Hermetica Digital Ltd. This is a Cypriot-based company to which the code-signing certificate was issued, though as reports indicate the attackers likely impersonated the company to get the certificate. ESET Research has requested the issuing company, DigiCert, to revoke the certificate immediately.
IsaacWiper: After the HermeticWiper attack, cybersecurity firm ESET spotted a second wiping attack called IsaacWiper. The company has revealed the details of the second attack in a new blog dated March 1. It added that based on the observations it looks like the attacks were planned for months, though it has stopped short of blaming any particular entity for these. IsaacWiper was used in attacks against a network that was not affected by HermeticWiper.
Notably, IssacWiper functions exactly like Hermetic Wiper malware. ESET researchers have identified details in IsaacWiper’s code which suggest that it has been available since October – meaning it could have been engineered months before the attacks against Ukraine and could also have been used in earlier campaigns.
MicroBackdoor malware: According to CERT-UA, the Ukraine government’s incident response team, MicroBackdoor malware gains high level remote access to the victim’s system negating the authentication process. Phishing emails are sent out to victims containing a file named ‘dovidka.zip’, that contains a bait image ‘image.jpg’, this malicious image when opened gives hackers illegal authorisation making the system vulnerable.
CaddyWiper: This malware also targets user data. As per the researchers, the tool erases not just user data, but even partition information from any drives that were unfortunate to be connected to an affected machine. The malware functions by corrupting any files on the victim’s machine and overwriting them with null byte characters, losing the user data forever in the process. Unlike a ransomware malware, a wiper malware is used to permanently delete data from an affected PC.
Caution and user’s vigilance are key to cyber safety. Prasad T, Senior Security Architect, at Verse Innovation told indianexpress.com that awareness about security threats involved in opening the attachments and links present in suspicious emails/messages should seep into the user community. “Legitimate antivirus should be installed on the system which will monitor and prevent download and execution of malware files and other insecure procedures.”
“Ukraine does not have time in hand. As there is no time to strengthen the security posture, the best way is to reduce the exposure to the internet and increase the security awareness among the users. They should also do a detailed vulnerability analysis and fix the important security vulnerabilities on priority,” he said.
Another cyber security expert Ashutosh Verma, founder of Exalta India cautioned that these viruses are hidden inside malicious links. He believes that internal or anti-social agents can use such malware programs to create disturbance even in India. “Cybersecurity branches of the country should be cautious that the anti-social elements do not cause any issue in the future,” he added.