HermeticWiper malware attack (2022)

From International cyber law: interactive toolkit
Jump to navigation Jump to search
Date The HermeticWiper malware was allegedly deployed and first detected by cyber-security companies on the afternoon of 23 February 2022 when circulating in hundreds of computer systems of Ukrainian organizations.[1] Incidents using the HermeticWiper destructive malware were also reported by Microsoft during the following weeks,[2] and the Washington Post reported a wiper attack on the operating system at a Ukrainian control station in the border with Romania on 25 February 2022,[3] using these malware capabilities.

Notwithstanding, according to ESET research and Broadcom Symantec – which first discovered the malware –[4] the samples were compiled and the attackers appear to have gained access to the network already in December 2021.[5] Therefore, the attack might have been in preparation for nearly two months.[6] Even, it has been affirmed by the companies[7] and the US Cybersecurity and Infrastructure Security Agency that “temporal evidence points to potentially related malicious activity beginning as early as November 2021”.[8]

Suspected actor To date, there have been no official direct attributions of the attacks by any State. Cybersecurity researchers have also not linked the development of the malware to specific threat actors,[9] and the malware appears not to share code similarities with others.[10] However it has been alleged by some news outlets that the circumstances,[11] the methodological use of data wipers[12] and timing may indicate that it was a Russian-associated attack.[13] Russia has denied the allegations.[14]

The Microsoft Threat Intelligence Center (MSTIC) have stated in a recent report that it “assesses with moderate confidence that IRIDIUM, an activity group that the US Government has attributed to the GRU Main Center for Special Technologies (Unit 74455) is linked to intrusion activity leading to the deployment of FoxBlade (…) in Ukraine”,[15] this being an alternative denomination for the HermeticWiper malware.

Victims The malicious wiper was used to attack the operating systems of Ukrainian government, financial, defense, aviation, IT, and energy service organizations.[16]

According to Broadcom Symantec, there was also evidence of HermeticWiper activity against computers in Lithuania[17] and Latvia.[18]

Target systems Microsoft Windows-based operating systems.[19]
Method The access vector for the deployment of the malware has not been completely determined,[20] though allegedly different ones have been used for different organizations.[21] In particular attacks, it appears that the hackers gained access to the network through malicious activity against Microsoft Exchange Server Message Block, followed by credential thefts.[22] In other cases, it appears the malware exploited a vulnerability in Microsoft SQL Server.[23] ESET research affirmed that at least one of the attacks was deployed directly from Windows’ domain controller, indicating that the hackers had access to the networks before.[24]

A custom worm – the “HermeticWizard” – was used to spread the wiper within the compromised network of the targeted organizations.[25] Once the HermeticWiper was deployed, it abused legitimate drivers and was able to bypass Windows security features[26] by using an allegedly stolen code-signing certificate,[27] and implementing low-level disk operations to corrupt data and disable Windows backup copy service.[28] The data on the disk got fragmented and the malware wiped and overwrote the files, rendering applications to stop working as the execution advanced.[29] The wiper also corrupted the Master Boot Record (MBR)[30] of the hard drive,[31] which prevented the computers from booting into the operating system.[32] Further, it “wipe[d] itself from disk by overwriting its own file with random bytes” in order to prevent its later analysis.[33] Finally, the machine was forcibly restarted, but resulted in a boot failure, rendering the computer’s operating system most probably unrecoverable.[34]

The deployment of the HermeticWiper was done alongside a ransomware malware named “PartyTicket” to allegedly decoy the attack,[35] similarly to the method used in the WhisperGate and NotPetya incidents.[36]

Purpose The alleged purpose of the attack was to damage, disable and render the computer systems of the targeted organizations inoperable.[37]

Several sources linked the attack to the intensification of the conflict in Ukraine,[38] and it was suggested that the attackers may have aimed “to cripple local IT systems and prevent the Ukrainian government from reacting with its full capabilities”.[39]

Result The wiper rendered the targeted computer systems inoperable, destroying their functionality.[40] Experts have argued that it was not possible to recover the impacted machines.[41]

According to Microsoft’s Digital Security Unit, the attacks were tailored to target certain specific environments and disabled “roughly 300 systems across more than a dozen government, IT, energy, agricultural, and financial sector organizations in Ukraine”,[42] including the Defense Ministry.[43]

The data wiper also affected a Ukrainian border control station, critically slowing the processing of refugees fleeing into Romania, since the Ukrainian authorities had to process everything manually on paper.[44]

Aftermath Microsoft Security Response Center warned that the HermeticWiper attacks remained a “continued risk”.[45]

As of May 2022, the attacks are being investigated by several cybersecurity companies and agencies. A joint advisory issued by the US Cybersecurity and Infrastructure Security Agency (CISA) and the FBI warned about the potential risk of the wiper malware to affect organizations outside Ukraine, and provided indicators of compromise for organizations to take measures to protect themselves from these attacks.[46]

Analysed in Scenario 12: Cyber operations against computer data

Scenario 15: Cyber deception during armed conflict

Scenario 21: Misattribution caused by deception

Collected by: Dominique Steinbrecher

  1. Juan Andrés Guerrero-Saade, HermeticWiper. New Destructive Malware Used In Cyber Attacks on Ukraine, Sentinel One (23 February 2022, updated 28 February 2022); Microsoft Digital Security Unit, Special Report: Ukraine. An overview of Russia’s cyberattack activity in Ukraine (27 April 2022) 7; Eduard Kovacs, Destructive 'HermeticWiper' Malware Targets Computers in Ukraine, Security Week (24 February 2022).
  2. Microsoft Digital Security Unit, Special Report: Ukraine. An overview of Russia’s cyberattack activity in Ukraine (27 April 2022) 4
  3. Miriam Berger, 400,000 Ukrainians flee to European countries, including some that previously spurned refugees, The Washington Post (26 February 2022)
  4. Catalin Cimpanu, Second data wiper attack hits Ukraine computer networks, The Record (23 February 2022)
  5. Broadcom Software, Ukraine: Disk-wiping Attacks Precede Russian Invasion (24 February 2022); ESET Research, IsaacWiper and HermeticWizard: New wiper and worm targeting Ukraine (1 March 2022); Lawrence Abrams, New data-wiping malware used in destructive attacks on Ukraine, Bleeping Computer (23 February 2022)
  6. Eduard Kovacs, Destructive 'HermeticWiper' Malware Targets Computers in Ukraine, Security Week (24 February 2022)
  7. Broadcom Software, Ukraine: Disk-wiping Attacks Precede Russian Invasion (24 February 2022)
  8. US Cybersecurity and Infrastructure Security Agency (CISA), Alert (AA22-057A). Update: Destructive Malware Targeting Organizations in Ukraine (28 April 2022)
  9. Daryna Antoniuk, A deeper look at the malware being used on Ukrainian targets, The Record (21 April 2022)
  10. ESET Research, IsaacWiper and HermeticWizard: New wiper and worm targeting Ukraine (1 March 2022)
  11. Eduard Kovacs, Destructive 'HermeticWiper' Malware Targets Computers in Ukraine, Security Week (24 February 2022)
  12. Lawrence Abrams, New data-wiping malware used in destructive attacks on Ukraine, Bleeping Computer (23 February 2022)
  13. Daryna Antoniuk, A deeper look at the malware being used on Ukrainian targets, The Record (21 April 2022); Insikt Group, HermeticWiper and PartyTicket Targeting Computers in Ukraine (2 March 2022) 1; Kyle Fendorf and Jessie Miller, Tracking Cyber Operations and Actors in the Russia-Ukraine War, Council on Foreign Relations (24 March 2022)
  14. Reuters, Ukraine computers hit by data-wiping software as Russia launched invasion (24 February 2022)
  15. Microsoft Digital Security Unit, Special Report: Ukraine. An overview of Russia’s cyberattack activity in Ukraine (27 April 2022) 8.
  16. Broadcom Software, Ukraine: Disk-wiping Attacks Precede Russian Invasion (24 February 2022); Microsoft Security Response Center, Cyber threat activity in Ukraine: analysis and resources (28 February 2022, updated 2 March 2022); Microsoft Digital Security Unit, Special Report: Ukraine. An overview of Russia’s cyberattack activity in Ukraine (27 April 2022) 7; Kyle Alspach, Microsoft: Data wiper cyberattacks continuing in Ukraine, Venture Beat (2 March 2022); Michele Kambas and James Pearson, Cyprus games writer denies links to malware found before Russian invasion, Reuters (24 February 2022)
  17. Broadcom Software, Ukraine: Disk-wiping Attacks Precede Russian Invasion (24 February 2022)
  18. Mayuresh Dani, Ukrainian Targets Hit by HermeticWiper, New Datawiper Malware, Qualys (1 March 2022)
  19. ESET Research, IsaacWiper and HermeticWizard: New wiper and worm targeting Ukraine (1 March 2022); Lawrence Abrams, New data-wiping malware used in destructive attacks on Ukraine, Bleeping Computer (23 February 2022)
  20. ESET Research, IsaacWiper and HermeticWizard: New wiper and worm targeting Ukraine (1 March 2022)
  21. ESET Research, IsaacWiper and HermeticWizard: New wiper and worm targeting Ukraine (1 March 2022); Heather Harrison Dinniss, Ukraine Symposium – Military Networks And Cyber Operations In The War In Ukraine, Articles of War (29 April 2022)
  22. Broadcom Software, Ukraine: Disk-wiping Attacks Precede Russian Invasion (24 February 2022)
  23. Broadcom Software, Ukraine: Disk-wiping Attacks Precede Russian Invasion (24 February 2022)
  24. Lawrence Abrams, New data-wiping malware used in destructive attacks on Ukraine, Bleeping Computer (23 February 2022)
  25. ESET Research, IsaacWiper and HermeticWizard: New wiper and worm targeting Ukraine (1 March 2022)
  26. Daryna Antoniuk, A deeper look at the malware being used on Ukrainian targets, The Record (21 April 2022)
  27. Mayuresh Dani, Ukrainian Targets Hit by HermeticWiper, New Datawiper Malware, Qualys (1 March 2022)
  28. ESET Research, IsaacWiper and HermeticWizard: New wiper and worm targeting Ukraine (1 March 2022)
  29. Daryna Antoniuk, A deeper look at the malware being used on Ukrainian targets, The Record (21 April 2022)
  30. Juan Andrés Guerrero-Saade, HermeticWiper. New Destructive Malware Used In Cyber Attacks on Ukraine, Sentinel One (23 February 2022, updated 28 February 2022)
  31. Eduard Kovacs, Destructive 'HermeticWiper' Malware Targets Computers in Ukraine, Security Week (24 February 2022)
  32. Catalin Cimpanu, Second data wiper attack hits Ukraine computer networks, The Record (23 February 2022)
  33. ESET Research, IsaacWiper and HermeticWizard: New wiper and worm targeting Ukraine (1 March 2022). See also: US Cybersecurity and Infrastructure Security Agency (CISA), Malware Analysis Report (AR22-115A) MAR-10375867-1.v1 – HermeticWiper (25 April 2022, updated 28 April 2022)
  34. ESET Research, IsaacWiper and HermeticWizard: New wiper and worm targeting Ukraine (1 March 2022)
  35. Juan Andrés Guerrero-Saade, HermeticWiper. New Destructive Malware Used In Cyber Attacks on Ukraine, Sentinel One (23 February 2022, updated 28 February 2022); US Cybersecurity and Infrastructure Security Agency (CISA), Alert (AA22-057A). Update: Destructive Malware Targeting Organizations in Ukraine (28 April 2022); Broadcom Software, Ukraine: Disk-wiping Attacks Precede Russian Invasion (24 February 2022)
  36. Insikt Group, HermeticWiper and PartyTicket Targeting Computers in Ukraine (2 March 2022) 1
  37. US Cybersecurity and Infrastructure Security Agency (CISA), Alert (AA22-057A). Update: Destructive Malware Targeting Organizations in Ukraine (28 April 2022); Reuters, Ukraine computers hit by data-wiping software as Russia launched invasion (24 February 2022)
  38. Catalin Cimpanu, Second data wiper attack hits Ukraine computer networks, The Record (23 February 2022); Broadcom Software, Ukraine: Disk-wiping Attacks Precede Russian Invasion (24 February 2022); Microsoft Digital Security Unit, Special Report: Ukraine. An overview of Russia’s cyberattack activity in Ukraine (27 April 2022)
  39. Catalin Cimpanu, Second data wiper attack hits Ukraine computer networks, The Record (23 February 2022)
  40. Heather Harrison Dinniss, Ukraine Symposium – Military Networks And Cyber Operations In The War In Ukraine, Articles of War (29 April 2022)
  41. ESET Research, IsaacWiper and HermeticWizard: New wiper and worm targeting Ukraine (1 March 2022)
  42. Microsoft Digital Security Unit, Special Report: Ukraine. An overview of Russia’s cyberattack activity in Ukraine (27 April 2022) 7.
  43. Kyle Alspach, Ukraine border control hit with wiper cyberattack, slowing refugee crossing, Venture Beat (27 February 2022)
  44. Miriam Berger, 400,000 Ukrainians flee to European countries, including some that previously spurned refugees, The Washington Post (26 February 2022); Kyle Alspach, Ukraine border control hit with wiper cyberattack, slowing refugee crossing, Venture Beat (27 February 2022); Kyle Alspach, Microsoft: Data wiper cyberattacks continuing in Ukraine, Venture Beat (2 March 2022)
  45. Microsoft Security Response Center, Cyber threat activity in Ukraine: analysis and resources (28 February 2022, updated 3 March and 27 April 2022); Kyle Alspach, Microsoft: Data wiper cyberattacks continuing in Ukraine, Venture Beat (2 March 2022)
  46. Carly Page, US says destructive wiper malware targeting Ukraine could ‘spill over’ to other countries, The Crunch (28 February 2022); US Cybersecurity and Infrastructure Security Agency (CISA), Alert (AA22-057A). Update: Destructive Malware Targeting Organizations in Ukraine (28 April 2022)
Retrieved from "https://cyberlaw.ccdcoe.org/wiki/HermeticWiper_malware_attack_(2022)?oldid=3410"