The Russian military invasion in Ukraine is obviously accompanied by cyber attacks. Hours before the all-out assault tonight, Eset security researchers detected destructive malware that infected “hundreds of machines” in the country. It was dubbed “HermeticWiper” aka “Win32/KillDisc.NCV” because it uses a perfectly legitimate (and probably stolen) electronic certificate assigned to an obscure Cypriot company called Hermetica Digital Ltd.
Thanks to this certificate, the software is not immediately detected by anti-virus software. It also embeds legitimate partitioning software drivers, which allows it to corrupt machine data before restarting it.
Breaking. #ESETResearch discovered a new data wiper malware used in Ukraine today. ESET telemetry shows that it was installed on hundreds of machines in the country. This follows the DDoS attacks against several Ukrainian websites earlier today 1/n
— ESET research (@ESETresearch) February 23, 2022
According to The Register, the malware not only erases files, but also the Master Boot Record, rendering computers completely inoperable. Researchers do not know how this “wiper” infects computers. In the specific case of a company, they could see that it was distributed through the administration system, which assumes that the hackers had previously succeeded in taking control of the Active Directory. Analysis of the binary reveals build dates of late December 2021.
For their part, Symantec researchers have also detected a “wiper” type malware that would spread in Ukraine, Latvia and Lithuania. Obviously, the attribution of this malware is unclear, but given the geopolitical context, it is very likely that it is the work of Russian hackers. These sabotage actions follow intense distributed denial of service attacks that yesterday targeted government and banking institution websites in Ukraine.
A new highly sophisticated Russian Trojan
Finally, it should be noted that the American and British cybersecurity agencies have just detected a new, very sophisticated Trojan horse from the Russian hacker group Sandworm. baptized “Cyclops Blink”, it primarily infects WatchGuard firewall devices to create a botnet, whose command and control servers are accessible through the Tor network. From an operational point of view, Cyclops Blink replaces VPNFilter, which had infected more than 500,000 routers worldwide in 2018 and which was notably capable of manipulating SCADA flows from industrial sites.
It is unclear whether his successor is somehow involved in the current cyberattacks in Ukraine. The Sandworm group, is famous for causing power outages in this country in 2015 and 2016. It is also believed to be the origin of NotPetya, a worm that caused computer damage around the world.