Friday, Feb 03, 2023

Russia-Ukraine cyber war: A look at DDoS attacks, HermeticWiper malware

While Russia's on ground invasion of Ukraine continues, cyberattacks against Ukrainian websites and networks have also been taking place. A look at the cyberattacks reported so far, including the HermeticWiper malware.

SentinelOne’s Principal Threat Researcher Juan Andrés termed the new malware as an “expected and regrettable” escalation from attackers. Picture for illustrative purposes. (Image credit: Negative Space on Pexels)

The war between Russia and Ukraine is not only being fought on the ground, but also in cyberspace. Cyberattacks on state-owned digital assets, including websites and banking services, have gradually increased in both frequency and sophistication, beginning with Distributed-denial-of-service (DDoS) attacks before escalation with the use of complex wiper malware and ransomware.

Here’s a look at cyberattacks that have been reported so far, including the HermeticWiper malware that has gained traction as well.

Early January: ShuckWorm Group 

Cybersecurity firm Symantec reported that the Russia-linked ShuckWorm group (also known as Gamaredon, Armageddon) was “continuing to conduct cyber-espionage attacks against targets in Ukraine.” The cybersecurity firm noted in a blog post dated January 31 that they had “found evidence of attempted attacks against a number of organisations in the country.” The group primarily uses “phishing emails” as it tries to distribute malware to devices, including those capable of remotely manipulating devices. The attacks were reportedly ongoing since July 2021.

Cyberattacks against Ukrainian websites

On February 16, a series of cyberattacks knocked the websites of some ministries, some major banks and the Ukrainian army off the internet. At least 10 Ukrainian websites were unreachable because they were victims of a DDoS attack, where attackers use a network of computers to send a massive influx of requests to a server or web resource, rendering it unable to serve actual user requests.

HermeticWiper malware

On February 23, the Threat Hunter team at Symantec and researchers at cybersecurity company ESET announced the discovery of a new malware called “HermeticWiper”. This was named after the false digital certificate used to sign the file, which is issued under the name of a company named Hermetica Digital Ltd. This is wiper malware which means it is designed to wipe the hard drives or system storage of the systems it infects.

According to ESET researchers, the malware used against Ukrainian targets misused legitimate drivers of popular disk management software to corrupt data on the infected machine. The wiper was used to target Ukrainian organisations and according to ESET in at least one case, the threat actors had access to a victim’s network before unleashing the malware.

HermeticWiper works by first corrupting the Master Boot Record (MBR) for every physical drive. The MBR is a boot sector at the very beginning of partitioned hard drive storage that holds information on how the file system and partitions are organised in the particular drive. While that is enough to make the drive unbootable, it goes on to make the data unrecoverable by using bit manipulation to corrupt all the data in the drive. Finally, the malware initiates a system shutdown, finalising its effects on the system.


Due to this attack, customers of Privatbank, Ukraine’s largest state-owned bank, and Sberbank, another state-owned bank reported problems with online payments and the banks’ applications. The hosting provider for Privatbank and the Ukrainian army were among the attackers’ targets.

Anonymous declares war against Russia

On February 25, hacker group Anonymous declared a cyberwar against the Russian government. Since then, the group has claimed credit for a series of DDoS attacks that rendered many Russian sites, including various government websites and the website of Russia Today, a state-controlled international television network funded by the tax budget of the Russian government, unserviceable.

According to an AFP report, Anonymous also left messages on the Russian websites asking Russian users to put an end to the war. Anonymous’s Twitter handle is also referring to these operations against Russia and has posted several tweets of alleged attacks.

Meanwhile, a video claiming to be from Anonymous, threatening to withdraw money from Russian bank accounts if they don’t protest, has been called out as fake. The Twitter handle also posted that they do not steal from people and that such claims were fake.

First published on: 01-03-2022 at 14:46 IST
Next Story

Delhi: National Law University launches new-age digital courses on forensics, mental health

Latest Comment
Post Comment
Read Comments