wordpress blog stats
Connect with us

Hi, what are you looking for?

Hermetic Wiper and other cyber attacks: A look at the silent battle between Russia and Ukraine in the digital sphere

While the heavy military fighting in Ukraine stands out, multiple cyber attacks initiated by both sides have been less conspicuous.

The ongoing Russia-Ukraine war may primarily be taking place over land and air with massive deployment of tanks and ballistic missiles striking key military installations and civilian establishments, but a significant amount of war activity has been taking place silently — targeting the key tech infrastructure of both countries. Cyber attacks, perpetrated by actors affiliated with either of the two countries, have been taking place ever since Russian President Vladimir Putin announced a “special military operation” in eastern Ukraine last week.

The most significant of these cyber attacks may be the one that was recently disclosed by cybersecurity and antivirus companies Symantec and ESET. The two firms announced that on February 24, one day before the Russian invasion, a new form of disk-wiping malware called Hermetic Wiper was used to attack organisations in Ukraine. As a result, several websites of Ukranian banks and government departments became inaccessible.

“HermeticWiper misused legitimate drivers of popular disk management software. The wiper abuses legitimate drivers from the EaseUS Partition Master software in order to corrupt data.” — ESET

This shows how wars and conflicts have become four-dimensional with a major part of activities taking place in the digital sphere. Since its implication is also massive, in terms of cyber attacks crippling key infrastructure, it is necessary that nation-states amp up their cybersecurity defences.

Hermetic Wiper came hours after a series of DDoS attacks on Ukraine

Here’s what you need to know about the Hermetic Wiper malware:

  • When was it detected? Detected by ESET as Win32/KillDisk.NCV, the data wiper was first spotted just before 8:30 pm IST on Wednesday. The wiper’s timestamp, meanwhile, shows that it was compiled on December 28, 2021, suggesting that the attack may have been in the works for some time, said ESET.
  • How did Hermetic Wiper gain access? Apart from misusing legitimate drivers of popular disk management software such as EaseUS Partition Master, the hackers used a genuine code-signing certificate issued to a Cyprus-based company called Hermetica Digital Ltd. According to Digicert, code-signing certificates are used by software developers to digitally sign applications, drivers, executables, and software programs as a way for end-users to verify that the code they receive has not been altered or compromised by a third party.
  • What does the malware contain? According to Symantec, the malware contains 32-bit and 64-bit driver files which are compressed by the Lempel-Ziv algorithm – a common data compression technique.
  • How does it work? “The malware will drop the corresponding file according to the operating system (OS) version of the infected system,” Symantec said.
  • What happens after Hermetic Wiper infects the system? Once run, Symantec said that the wiper damages the Master Boot Record (MBR) of the infected computer, rendering it inoperable. “The wiper does not appear to have any additional functionality beyond its destructive capabilities,” it added. According to Kaspersky, the MBR is the first sector on a hard disk that contains the partition table which holds information on the number of partitions, their size, and the operating system used to boot the machine.
  • Did the malware exploit any known vulnerability in Microsoft? “The attackers appear to have used an exploit of a known vulnerability in Microsoft SQL Server (CVE-2021-1636) in order to compromise at least one of the targeted organisations,” it said. In January 2021, Microsoft released a patch for this vulnerability.
  • What happened earlier? According to NetBlocks, the websites of Ukraine’s Ministry of Foreign Affairs, Ministry of Defense, Ministry of Internal Affairs, the Security Service of Ukraine, and Cabinet of Ministers were impacted by network disruptions that were consistent with DDoS attacks. A DD0S or distributed denial-of-service attack is a malicious attempt to disrupt the normal traffic of a targeted server, service or network by overwhelming the target or its surrounding infrastructure with a flood of Internet traffic, as per Cloudflare.

Global hacking group leads anti-Russian cyber attacks

On the day Russia commenced its military operation, an account linked to the hacker collective Anonymous said that it has started a ‘cyber war against the Russian government’.

Since then, several instances of cyber attacks on Russia’s State-owned digital establishments have been reported with Anonymous claiming responsibility for several of them. Here are a few targets—

SberBank: Anonymous claimed that hacking group GNG, affiliated with them, had hacked Russia’s SberBank. Earlier, Ukraine’s IT Army, announced by deputy prime minister Fedorov, also attempted to organise an attack on the website of Russia’s largest lender, Sberbank, according to Forbes.

Advertisement. Scroll to continue reading.

Putin’s yacht: Anonymous hackers compromised maritime traffic data to make it look like a yacht claimed to be owned by Putin had crashed into an island. They reportedly hacked into the maritime automatic identification system which is used to track ship locations, according to Bloomberg journalist Ryan Gallagher.

Gas supply: Anonymous claimed that it had shut down “a gas supply” by  Tvingo Telecom. “The company offers networking, Internet, wireless telephony, and installation of drivers and satellite services,” it tweeted. Tvingo Telecom serves clients in Russia and it is owned by Rostelecom which is a State-owned Russian telecom outfit, it added.

Chechen Republic website: The government website of the Chechen Republic was taken down because their leader Ramzan Kadyrov is friendly with Putin, The Sun reported. 

Key Russian government websites: According to NetBlocks, Russian government websites of the Kremlin, State Duma (lower house of Federal Assembly of Russia), and Ministry of Defense were unavailable on February 26. Real-time network data shows the impact to networks consistent with previous cyberattacks, it added.  Anonymous claimed that it was their doing.

Russia’s State-owned news site: Russian State-owned news agency Tass was hacked. People accessing their websites were greeted with this message, “Dear citizens. We urge you to stop this madness, do not send your sons and husbands to certain death. Putin makes us lie and puts us in danger,” The Daily Beast reported.

Belarusian rail network: Hackers allegedly breached computers in Belarus that control the country’s trains and brought some to a halt, according to Bloomberg. The report indicated that this may be an effort to disrupt Russian soldiers moving into Ukraine. The group known as Cyber Partisans said that some trains had stopped in Minsk, Orsha, and Osipovichi after hackers compromised the railway’s routing and switching system, the report said, adding that several websites connected to the railway network displayed error messages.

Advertisement. Scroll to continue reading.

Ukraine minister forms Cyber Army on Telegram, Signal creator criticises platform

Mykhailo Fedorov, the Ukrainian Deputy Prime Minister on February 27 announced that he was creating a cyber army of sorts and that he was in need of ‘talent’. He announced the same in a tweet and included a link to a Telegram account. The Telegram account currently has 2.38 lakh subscribers with the IT Army of Ukraine providing updates on key activities that they are taking up.

However, a few days prior, the creator of the end-to-end encrypted messaging platform Signal, Moxie Marlinspike said that misleading marketing by Telegram led to people believing that it was an encrypted app.

“Telegram is the most popular messenger in urban Ukraine. After a decade of misleading marketing and press, most ppl there believe it’s an “encrypted app”,” he tweeted.

“Every msg, photo, video, doc sent/received for the past 10 yrs; all contacts, group memberships, etc are all available to anyone w/ access to that DB Many TG employees have family in Russia. If Russia doesn’t want to bother w/ hacking, they can leverage family safety for access.” — Moxie Marlinspike

This post is released under a CC-BY-SA 4.0 license. Please feel free to republish on your site, with attribution and a link. Adaptation and rewriting, though allowed, should be true to the original.

What will be the future of cybersecurity in India?

Do you want to keep track of cyber attacks in India but don’t have the time? Relying on scattered content from across the web makes it feel harder than it needs to be.

Subscribe to MediaNama and get crisp, timely updates on tech policy developments in India and across the world.

Also Read:

Advertisement. Scroll to continue reading.

Have something to add? Subscribe to MediaNama here and post your comment. 

Written By

Among other subjects, I cover the increasing usage of emerging technologies, especially for surveillance in India

MediaNama’s mission is to help build a digital ecosystem which is open, fair, global and competitive.

Views

News

The Delhi High Court should quash the government's order to block Tanul Thakur's website in light of the Shreya Singhal verdict by the Supreme...

News

Releasing the policy is akin to putting the proverbial 'cart before the horse'.

News

The industry's growth is being weighed down by taxation and legal uncertainty.

News

Due to the scale of regulatory and technical challenges, transparency reporting under the IT Rules has gotten off to a rocky start.

News

Here are possible reasons why Indians are not generating significant IAP revenues despite our download share crossing 30%.

You May Also Like

News

Google has released a Google Travel Trends Report which states that branded budget hotel search queries grew 179% year over year (YOY) in India, in...

Advert

135 job openings in over 60 companies are listed at our free Digital and Mobile Job Board: If you’re looking for a job, or...

News

Rajesh Kumar* doesn’t have many enemies in life. But, Uber, for which he drives a cab everyday, is starting to look like one, he...

News

By Aroon Deep and Aditya Chunduru You’re reading it here first: Twitter has complied with government requests to censor 52 tweets that mostly criticised...

MediaNama is the premier source of information and analysis on Technology Policy in India. More about MediaNama, and contact information, here.

© 2008-2021 Mixed Bag Media Pvt. Ltd. Developed By PixelVJ

Subscribe to our daily newsletter
Name:*
Your email address:*
*
Please enter all required fields Click to hide
Correct invalid entries Click to hide

© 2008-2021 Mixed Bag Media Pvt. Ltd. Developed By PixelVJ