Full access at just Rs 3/day

Journalism of Courage

Russia-Ukraine war: After HermeticWiper, a second malware called IsaacWiper observed

After the HermeticWiper attack, cybersecurity firm ESET has spotted a second wiping attack called IsaacWiper, which started on February 24.

Isaacwiper, Hermetic Wiper, Hermetic Wiper malware, Russia-Ukraine cyberattacks, Russia-Ukraine cyberattackIsaacWiper is the second malware attack observed in Ukraine after HermeticWiper. Representational Image via Pixabay.

While Russia continues its on-ground invasion of Ukraine, cyberattacks have also been reported against Ukraine. After the HermeticWiper attack, cybersecurity firm ESET has spotted a second wiping attack called IsaacWiper, which started on February 24. The company has revealed the details of the second attack in a new blog dated March 1. It added that based on the observations it looks like the attacks were planned for months, though it has stopped short of blaming any particular entity for these.

“With regard to IsaacWiper, we are currently assessing its links, if any, with HermeticWiper. It is important to note that it was seen in a Ukrainian governmental organisation that was not affected by HermeticWiper,” Jean-Ian Boutin, ESET Head of Threat Research, said. In a new blog post, the company stated that the IsaacWiper attack likely “started shortly after the Russian military invasion and hit a Ukrainian governmental network.”

ESET has also laid out a timeline of all cyberattacks it has observed against Ukraine so far.

February 23: HermeticWiper and co

While HermeticWiper along with HermeticWizard and HermeticRansom targeted multiple Ukrainian organisations on February 23, this one preceded the start of the Russian invasion of Ukraine by a few hours.

Subscriber Only Stories

HermeticWiper as the name suggests is malware that wipes all data from the impacted disk of an infected device. It also “wipes itself from the disk by overwriting its own file with random bytes.” According to ESET, “the measure is likely intended to prevent the analysis of the wiper in a post-incident analysis.” The malware spreads inside compromised local networks by a custom worm they have named as HermeticWizard.

ESET has also observed HermeticRansom, which they say is acting as “decoy ransomware” to take attention away from the disk-wiping malware.

The term “Hermetic” is derived from Hermetica Digital Ltd. This is a Cypriot-based company to which the code-signing certificate was issued, though as reports indicate the attackers likely impersonated the company to get the certificate.  ESET Research has requested the issuing company, DigiCert, to revoke the certificate immediately.


February 24: IsaacWiper gets deployed

On February 24, a second wiping attack called IsaacWiper started, according to ESET.  Then on February 25, ESET says the “attackers dropped a new version of IsaacWiper with debug logs, which may indicate they were unable to wipe some of the targeted machines.”

Attacks planned for months

According to ESET, the affected organisations were compromised well in advance of the wiper’s deployment. Timestamps going back to December 28, 2021, have been observed along with a “code-signing certificate issue date of April 13, 2021,” Boutin said.

“The deployment of HermeticWiper through the default domain policy in at least one instance, suggesting the attackers had prior access to one of that victim’s Active Directory servers,” Boutin added. For IsaacWiper the oldest compilation timestamp found was October 19, 2021.

First published on: 02-03-2022 at 12:41:54 pm
Next Story

Massive groundwater contamination in 31 of 38 districts in Bihar: Economic Survey

Next Story