A second wiping attack via IsaacWiper started shortly after the Russian military invasion and hit a Ukrainian governmental network
- On February 23, a destructive campaign using HermeticWiper (along with HermeticWizard and HermeticRansom) targeted multiple Ukrainian organizations. This cyberattack preceded the start of the Russian invasion of Ukraine by a few hours.
- HermeticWiper wipes itself from disk by overwriting its own file with random bytes. This anti-forensic measure is likely intended to prevent the analysis of the wiper in a post-incident analysis.
- HermeticWiper is propagated inside compromised local networks by a custom worm we named HermeticWizard.
- On February 24, a second destructive attack against a Ukrainian governmental network started, using a wiper ESET has named IsaacWiper.
- On February 25, attackers dropped a new version of IsaacWiper with debug logs, which may indicate they were unable to wipe some of the targeted machines.
- Malware artifacts suggest that the attacks had been planned for several months.
- ESET Research has not yet been able to attribute these attacks to a known threat actor.
BRATISLAVA — March 1, 2022 — As the Russian invasion was starting in Ukraine, ESET researchers discovered two new wiper malware families targeting Ukrainian organizations. The first cyberattack started a few hours prior to the Russian military invasion as ESET Research reported on its Twitter account, and after the distributed denial-of-service (DDoS) attacks against major Ukrainian websites earlier that day. These destructive attacks leveraged at least three components: HermeticWiper for wiping the data, HermeticWizard for spreading on the local network, and HermeticRansom acting as a decoy ransomware. Malware artifacts suggest that the attacks had been planned for several months. As the Russian invasion started, a second destructive attack against a Ukrainian governmental network started, using a wiper that ESET Research has named IsaacWiper.
“With regard to IsaacWiper, we are currently assessing its links, if any, with HermeticWiper. It is important to note that it was seen in a Ukrainian governmental organization that was not affected by HermeticWiper,” says ESET Head of Threat Research Jean-Ian Boutin.
ESET researchers assess with high confidence that the affected organizations were compromised well in advance of the wiper’s deployment. “This is based on several facts: the HermeticWiper PE compilation timestamps, the oldest being December 28, 2021; the code-signing certificate issue date of April 13, 2021; and the deployment of HermeticWiper through the default domain policy in at least one instance, suggesting the attackers had prior access to one of that victim’s Active Directory servers,” says Boutin.
IsaacWiper appeared in ESET telemetry on February 24. The oldest PE compilation timestamp found was October 19, 2021, meaning that if its PE compilation timestamp was not tampered with, IsaacWiper might have been used in previous operations months earlier.
In the case of HermeticWiper, ESET has observed artifacts of lateral movement inside the targeted organizations and that the attackers likely took control of an Active Directory server. A custom worm that ESET researchers named HermeticWizard was used to spread the wiper across the compromised networks. For the second wiper – IsaacWiper – the attackers used RemCom, a remote access tool, and possibly Impacket for movement inside the network.
Furthermore, HermeticWiper wipes itself from disk by overwriting its own file with random bytes. This anti-forensic measure is likely intended to prevent the analysis of the wiper in a post-incident analysis. The decoy ransomware HermeticRansom was deployed at the same time as HermeticWiper, potentially in order to hide the wiper’s actions.
Just a day after the deployment of IsaacWiper, attackers dropped a new version with debug logs. This may indicate that the attackers were unable to wipe some of the targeted machines and added log messages to understand what was happening.
ESET Research has not yet been able to attribute these attacks to a known threat actor due to the lack of any significant code similarity with other samples in the ESET malware collection.
The term “Hermetic” is derived from Hermetica Digital Ltd, a Cypriot company to which the code-signing certificate was issued. According to a report by Reuters, it seems that this certificate was not stolen from Hermetica Digital. Instead, it is likely that the attackers impersonated the Cypriot company in order to get this certificate from DigiCert. ESET Research requested the issuing company DigiCert to revoke the certificate immediately.
Timeline of important events
About Version 2 Limited
Version 2 Limited is one of the most dynamic IT companies in Asia. The company develops and distributes IT products for Internet and IP-based networks, including communication systems, Internet software, security, network, and media products. Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 Limited offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.
For 30 years, ESET® has been developing industry-leading IT security software and services for businesses and consumers worldwide. With solutions ranging from endpoint security to encryption and two-factor authentication, ESET’s high-performing, easy-to-use products give individuals and businesses the peace of mind to enjoy the full potential of their technology. ESET unobtrusively protects and monitors 24/7, updating defenses in real time to keep users safe and businesses running without interruption. Evolving threats require an evolving IT security company. Backed by R&D facilities worldwide, ESET became the first IT security company to earn 100 Virus Bulletin VB100 awards, identifying every single “in-the-wild” malware without interruption since 2003.