Hermetic Wiper and other cyber attacks: A look at the silent battle between Russia and Ukraine in the digital sphere

The ongoing Russia-Ukraine war may primarily be taking place over land and air with massive deployment of tanks and ballistic missiles striking key military installations and civilian establishments, but a significant amount of war activity has been taking place silently — targeting the key tech infrastructure of both countries. Cyber attacks, perpetrated by actors affiliated with either of the two countries, have been taking place ever since Russian President Vladimir Putin announced a “special military operation” in eastern Ukraine last week.

The most significant of these cyber attacks may be the one that was recently disclosed by cybersecurity and antivirus companies Symantec and ESET. The two firms announced that on February 24, one day before the Russian invasion, a new form of disk-wiping malware called Hermetic Wiper was used to attack organisations in Ukraine. As a result, several websites of Ukranian banks and government departments became inaccessible.

“HermeticWiper misused legitimate drivers of popular disk management software. The wiper abuses legitimate drivers from the EaseUS Partition Master software in order to corrupt data.” — ESET

This shows how wars and conflicts have become four-dimensional with a major part of activities taking place in the digital sphere. Since its implication is also massive, in terms of cyber attacks crippling key infrastructure, it is necessary that nation-states amp up their cybersecurity defences.

Hermetic Wiper came hours after a series of DDoS attacks on Ukraine

Here’s what you need to know about the Hermetic Wiper malware:

• When was it detected? Detected by ESET as Win32/KillDisk.NCV, the data wiper was first spotted just before 8:30 pm IST on Wednesday. The wiper’s timestamp, meanwhile, shows that it was compiled on December 28, 2021, suggesting that the attack may have been in the works for some time, said ESET.
• How did Hermetic Wiper gain access? Apart from misusing legitimate drivers of popular disk management software such as EaseUS Partition Master, the hackers used a genuine code-signing certificate issued to a Cyprus-based company called Hermetica Digital Ltd. According to Digicert, code-signing certificates are used by software developers to digitally sign applications, drivers, executables, and software programs as a way for end-users to verify that the code they receive has not been altered or compromised by a third party.
• What does the malware contain? According to Symantec, the malware contains 32-bit and 64-bit driver files which are compressed by the Lempel-Ziv algorithm – a common data compression technique.
• How does it work? “The malware will drop the corresponding file according to the operating system (OS) version of the infected system,” Symantec said.
• What happens after Hermetic Wiper infects the system? Once run, Symantec said that the wiper damages the Master Boot Record (MBR) of the infected computer, rendering it inoperable. “The wiper does not appear to have any additional functionality beyond its destructive capabilities,” it added. According to Kaspersky, the MBR is the first sector on a hard disk that contains the partition table which holds information on the number of partitions, their size, and the operating system used to boot the machine.
• Did the malware exploit any known vulnerability in Microsoft? “The attackers appear to have used an exploit of a known vulnerability in Microsoft SQL Server (CVE-2021-1636) in order to compromise at least one of the targeted organisations,” it said. In January 2021, Microsoft released a patch for this vulnerability.
• What happened earlier? According to NetBlocks, the websites of Ukraine’s Ministry of Foreign Affairs, Ministry of Defense, Ministry of Internal Affairs, the Security Service of Ukraine, and Cabinet of Ministers were impacted by network disruptions that were consistent with DDoS attacks. A DD0S or distributed denial-of-service attack is a malicious attempt to disrupt the normal traffic of a targeted server, service or network by overwhelming the target or its surrounding infrastructure with a flood of Internet traffic, as per Cloudflare.

⚠️ Confirmed: #Ukraine's Ministry of Foreign Affairs, Ministry of Defense, Ministry of Internal Affairs, the Security Service of Ukraine and Cabinet of Ministers websites have just been impacted by network disruptions; the incident appears consistent with recent DDOS attacks ? pic.twitter.com/EVyy7mzZRr

— NetBlocks (@netblocks) February 23, 2022

Global hacking group leads anti-Russian cyber attacks

On the day Russia commenced its military operation, an account linked to the hacker collective Anonymous said that it has started a ‘cyber war against the Russian government’.

The Anonymous collective is officially in cyber war against the Russian government. #Anonymous #Ukraine

— Anonymous (@YourAnonOne) February 24, 2022

Since then, several instances of cyber attacks on Russia’s State-owned digital establishments have been reported with Anonymous claiming responsibility for several of them. Here are a few targets—

SberBank: Anonymous claimed that hacking group GNG, affiliated with them, had hacked Russia’s SberBank. Earlier, Ukraine’s IT Army, announced by deputy prime minister Fedorov, also attempted to organise an attack on the website of Russia’s largest lender, Sberbank, according to Forbes.

Putin’s yacht: Anonymous hackers compromised maritime traffic data to make it look like a yacht claimed to be owned by Putin had crashed into an island. They reportedly hacked into the maritime automatic identification system which is used to track ship locations, according to Bloomberg journalist Ryan Gallagher.

Putin reportedly has a $97 million luxury yacht called "Graceful". A group of Anonymous hackers on Saturday figured out a way to mess with maritime traffic data & made it look like the yacht had crashed into Ukraine's Snake Island, then changed its destination to "hell": pic.twitter.com/Ch53lcG7D6

— Ryan Gallagher (@rj_gallagher) February 27, 2022

Gas supply: Anonymous claimed that it had shut down “a gas supply” by  Tvingo Telecom. “The company offers networking, Internet, wireless telephony, and installation of drivers and satellite services,” it tweeted. Tvingo Telecom serves clients in Russia and it is owned by Rostelecom which is a State-owned Russian telecom outfit, it added.

Chechen Republic website: The government website of the Chechen Republic was taken down because their leader Ramzan Kadyrov is friendly with Putin, The Sun reported. 

BREAKING: #Anonymous has taken down the website of the Chechen Republic.https://t.co/1muioOS5ao > OFF#OpRussia #StandWithUkraine #Ukraina #UkraineWar

— Anonymous (@AnonymousHelpTW) February 27, 2022

Key Russian government websites: According to NetBlocks, Russian government websites of the Kremlin, State Duma (lower house of Federal Assembly of Russia), and Ministry of Defense were unavailable on February 26. Real-time network data shows the impact to networks consistent with previous cyberattacks, it added.  Anonymous claimed that it was their doing.

Russia may be using bombs to drop on innocent people, but Anonymous uses lasers to kill Russian government websites. https://t.co/Vzhkmxbuhu

— Anonymous (@YourAnonNews) February 26, 2022

Russia’s State-owned news site: Russian State-owned news agency Tass was hacked. People accessing their websites were greeted with this message, “Dear citizens. We urge you to stop this madness, do not send your sons and husbands to certain death. Putin makes us lie and puts us in danger,” The Daily Beast reported.

Belarusian rail network: Hackers allegedly breached computers in Belarus that control the country’s trains and brought some to a halt, according to Bloomberg. The report indicated that this may be an effort to disrupt Russian soldiers moving into Ukraine. The group known as Cyber Partisans said that some trains had stopped in Minsk, Orsha, and Osipovichi after hackers compromised the railway’s routing and switching system, the report said, adding that several websites connected to the railway network displayed error messages.

• NSA claims Russia used ‘brute force’ hacking methods to target govt organisations; Russia denies allegations
• The SolarWinds hacker is back and has the global IT supply chain in a crosshair

Have something to add? Subscribe to MediaNama here and post your comment.