"Cyberattacks in Ukraine: New Worm-Spreading Data-Wiper With Ransomware Smokescreen"
Researchers at the anti-malware company ESET found signs of new malware with worm-spreading capabilities being distributed in cyberattacks in Ukraine. According to the researchers, the cyberattacks began hours before Russia invaded Ukraine, with Distributed Denial-of-Service (DDoS) attacks targeting Ukrainian government websites. The cyberattacks then turned into wiper attacks, destroying data on computer networks. The initial attacks were found leveraging HermeticWiper, HermeticWizard, and HermeticRansom. HermeticWiper corrupts a system's data to make it inoperable, while HermeticWizard spreads the data wiper like a worm across a local network through Windows Management Instrumentation (WMI) and the Server Message Block protocol (SMB). HermeticRansom adds a data-extortion ransomware component written in the Go programming language. A day later, ESET's technology thwarted another new wiper in a Ukrainian governmental network. The wiper dubbed IsaacWiper is being assessed to determine whether it is linked to HermeticWiper. Although the company has not found any tangible connection with a known threat actor, the wiper and worm-spreading components were found to be signed with a code-signing certificate assigned to Hermetic Digital. The US Homeland Security Department's Cybersecurity and Infrastructure Security Agency (CISA) has released indicators of compromise (IOCs) to help threat hunters look for signs of the data-wiping threats in computer networks. This article continues to discuss findings surrounding the destructive data-wiping malware attacks in Ukraine.