War in Ukraine: Russia uses never-before-seen malware

War in Ukraine Russia uses never before seen malware

You will also be interested


[EN VIDÉO] Cyber ​​espionage: what are the threats?
Interference in elections, theft of industrial data, hacking into military systems… Cyber ​​espionage has taken off in the last two decades.

Along with his attacks physical on the country, Russia is engaged in a veritable cyber war against Ukraine. The country seems to have prepared its war well hybrid in advance, as evidenced by the use of a brand new malware wiper type. It was reported by cybersecurity researchers from Symantec and ESET, and named HermeticWiper or Trojans.Killdisk.

The intention this time is not to temporarily interrupt certain services, nor disinformation, but indeed the destruction of data. A wiper is a particular type of malware whose only function is to erase the contents of the hard drive, deleting data and damaging the operating system. The device will therefore no longer be able to start without a complete reinstallation. The malware notably targets financial institutions as well as companies working for the government. However, it is not only targeting targets in Ukraine. Organizations in Latvia and Lithuania were also victims of the wiper.

An attack that targets organizations’ computer networks

HermeticWiper was so named because its executable file is signed by a certificate attributed to Hermetica Digital ltd. Specialists are still analyzing the program, but they were able to determine that it uses a driver signed by a certificate from the software EaseUS Partition Master installed as a Windows service. the malware will then corrupt the files on the hard disk and damage the partition table and the Master Boot Record (MBR), the boot area of ​​the hard disk. The last step is to restart the machine which will not be able to start.

In at least one of the attacks, the hackers did not target individual computers. They directly used the domain controller to distribute the malware. ” In one of the targeted organizations, the wiper was installed through the default GPO (domain policy), meaning the attackers had likely taken control of the Active Directory server ESET asserted in a series of tweets.

An offensive prepared in advance

The malware authors appear to have been planning their attack for months. The compilation date of one of the malware samples is December 28, 2021. However, an organization in Lithuania was targeted by HermeticWiper as early as Tuesday, February 22, and the ground seems to have been prepared well in advance. The first traces of infiltration in their network date back to November 12, 2021, but no action was taken for several months until the malware was installed.

Another peculiarity of this attack is that a ransomware (or Ransomware) was deployed in parallel, presumably to create a diversion and better hide the wiper. This is the same strategy of the attack in January, baptized WhisperGate, which also attempted to hide wiper-type malware behind ransomware. This new wiper, however, was designed to be much more devastating.

Interested in what you just read?



fs1