While Russia continues its on-ground invasion of Ukraine, cyberattacks have also been reported against Ukraine. After the HermeticWiper attack, cybersecurity firm ESET has spotted a second wiping attack called IsaacWiper, which started on February 24. The company has revealed the details of the second attack in a new blog dated March 1. It added that based on the observations it looks like the attacks were planned for months, though it has stopped short of blaming any particular entity for these.
“With regard to IsaacWiper, we are currently assessing its links, if any, with HermeticWiper. It is important to note that it was seen in a Ukrainian governmental organisation that was not affected by HermeticWiper,” Jean-Ian Boutin, ESET Head of Threat Research, said. In a new blog post, the company stated that the IsaacWiper attack likely “started shortly after the Russian military invasion and hit a Ukrainian governmental network.”
ESET has also laid out a timeline of all cyberattacks it has observed against Ukraine so far.
While HermeticWiper along with HermeticWizard and HermeticRansom targeted multiple Ukrainian organisations on February 23, this one preceded the start of the Russian invasion of Ukraine by a few hours.
HermeticWiper as the name suggests is malware that wipes all data from the impacted disk of an infected device. It also “wipes itself from the disk by overwriting its own file with random bytes.” According to ESET, “the measure is likely intended to prevent the analysis of the wiper in a post-incident analysis.” The malware spreads inside compromised local networks by a custom worm they have named as HermeticWizard.
ESET has also observed HermeticRansom, which they say is acting as “decoy ransomware” to take attention away from the disk-wiping malware.
The term “Hermetic” is derived from Hermetica Digital Ltd. This is a Cypriot-based company to which the code-signing certificate was issued, though as reports indicate the attackers likely impersonated the company to get the certificate. ESET Research has requested the issuing company, DigiCert, to revoke the certificate immediately.
On February 24, a second wiping attack called IsaacWiper started, according to ESET. Then on February 25, ESET says the “attackers dropped a new version of IsaacWiper with debug logs, which may indicate they were unable to wipe some of the targeted machines.”
According to ESET, the affected organisations were compromised well in advance of the wiper’s deployment. Timestamps going back to December 28, 2021, have been observed along with a “code-signing certificate issue date of April 13, 2021,” Boutin said.
“The deployment of HermeticWiper through the default domain policy in at least one instance, suggesting the attackers had prior access to one of that victim’s Active Directory servers,” Boutin added. For IsaacWiper the oldest compilation timestamp found was October 19, 2021.