The Hermetic Wiper malware that targeted Ukraine

Published
28th Feb, 2022

Context

Several Ukrainian computers and websites faced cyberattacks by a destructive data-wiper malware hours before Russia began its military assault in the country

About

About Hematic Wiper Malware:

Hematic Wiper or data wiper malware can erase all the data from the system that it has infected.
The thing that makes this malware dangerous is that the data once deleted, the data cannot be recovered.
This malware is quite different from most of the malware out there as it doesn’t steal information, it just destroys it.
The malware can even attack the system recovery tools without leaving any traces of the attack.
Several cybersecurity experts believe the infections from the malware have spread widely.

Some specific characteristics of Hematic Wiper malware:

Attacks are highly targeted:
So far, the HermeticWiper attacks have been highly targeted.
Specifically, the distribution of the wiper does not seem to be leveraging supply chain vulnerabilities or other “super-spreader” techniques to scale the attacks.
This means that infection will not quickly spill to other geographies.
Deployment requires privileged admin rights:
The wiper leverages high privileges on the compromised host to make the host “unbootable” by overriding the boot records and configurations, erasing device configurations and deleting shadow copies (backups).
Similar tactics were observed in the 2017 NotPetya ransomware attacks, which also targeted Ukrainian infrastructure initially.
Active Directory can be used as a launchpad:
In one reported case, the wiper software deployed using Active Directory group policy, which means the threat actors had privileged access to Active Directory.
This scenario is more commonly used in targeted, human-operated incidents, such as the 2021 Kaseya ransomware supply chain attack.
Identity compromise is critical:
It appears that the wiper is configured to NOT encrypt domain controllers. This allows the domain to keep running, enabling the wiper software to utilize valid credentials to authenticate to servers and encrypt those.
This highlights the critical role of identity in these attacks.
By stealing or abusing the identities and credentials of employees or authorized third parties, threat actors can access the target network and/or move laterally.

Malware:

Malware, or malicious software, is any program or file that is harmful to a computer user.
Malware includes computer viruses, worms, Trojan horses and spyware.
These malicious programs can perform a variety of functions, including stealing, encrypting or deleting sensitive data, altering or hijacking core computing functions and monitoring users' computer activity without their permission.

Other terms related to it

Virus: Viruses attach themselves to clean files and infect other clean files. They can spread uncontrollably, damaging a system’s core functionality and deleting or corrupting files.
Trojans: This kind of malware disguises itself as legitimate software, or is included in legitimate software that has been tampered with. It tends to act discretely and create backdoors in your security to let other malware in.
Spyware: It hides in the background and takes notes on what you do online, including your passwords, credit card numbers, surfing habits and more.
Worms: Worms infect entire networks of devices, either local or across the internet, by using network interfaces. It uses each consecutive infected machine to infect more.
Ransomware: Also called scareware, this kind of malware can lock down computer and threaten to erase everything — unless a ransom is paid to its owner.
Adware: Though not always malicious in nature, particularly aggressive advertising software can undermine security just to serve ads — which can give a lot of other malware a way in.
Botnets: Botnets are networks of infected computers that are made to work together under the control of an attacker.