“Meant to be devastating.” Wiper malware rattles Ukraine as Russia presses invasion

HermeticWiper, much like the WhisperGate malware discovered in Ukrainian networks last month, deletes the Master Boot Record that allows the Windows operating system to load.

Russia’s escalating invasion of Ukraine has come amid a string of cyberattacks, including a new variant of destructive malware that renders infected systems inoperable.

The HermeticWiper attack tool exploits known vulnerabilities and shares much in common with earlier variants of wiper malware, Cornell University computer science professor Nate Foster told README. But the timing of its deployment in Ukrainian networks sets it apart.

“What is interesting is, how does the new cyber war aspect to war play out in this conflict?” Foster said. “It’s the first land war in Europe in decades, and although there have been many skirmishes involving [cyber], this is an overt conflict between coalitions and countries, and I think the defensive and offensive capabilities of these regimes are not widely known.”

Foster said he’d be watching to see whether malware like HermeticWiper continues to be used as the deadly conflict drags on — and how effective cyberattacks will prove to be in the context of a physical war that has already claimed hundreds of lives.

U.S. agencies and private organizations are wary of destructive malware spreading beyond Ukraine’s borders much like the NotPetya cyberattack in 2017, which started in Ukraine but went on to cause billions of dollars in damages worldwide.

“Destructive malware can present a direct threat to an organization’s daily operations, impacting the availability of critical assets and data,” the Cybersecurity and Infrastructure Security Agency and the FBI said in a joint advisory yesterday related to HermeticWiper. “Further disruptive cyberattacks against organizations in Ukraine are likely to occur and may unintentionally spill over to organizations in other countries. Organizations should increase vigilance and evaluate their capabilities encompassing planning, preparation, detection, and response for such an event.”

HermeticWiper’s history

Cybersecurity companies Symantec and ESET independently reported that HermeticWiper was deployed on Feb. 23. But the earliest known sample of the malware was compiled on Dec. 28, 2021, nearly two months before Russian troops were ordered to attack Ukraine.

Hackers reportedly had access to some of the affected organizations, including one in Lithuania and one in Ukraine, for even longer. “Initial indications suggest that the attacks may have been in preparation for some time,” Symantec said in a blog post last week. “Temporal evidence points to potentially related malicious activity beginning as early as November 2021.”

But the technical groundwork for HermeticWiper may date back earlier still. The malware features a legitimate code-signing certificate issued in April 2021 to Hermetica Digital Ltd. (Hence the HermeticWiper name coined by SentinelOne principal threat researcher Juan Andrés Guerrero-Saade.) Cybersecurity journalist Kim Zetter reported that Hermetica was founded in March 2021. The company lacks even a website, however, so it’s possible it was founded just to get that one certificate, which grants the malware access to parts of Windows that are out of reach for unsigned software.

Work on HermeticWiper appears to be ongoing: Cisco Talos cybersecurity researchers reported that “one of the wiper executables was compiled on Feb. 23, 2022 and saw deployment the very same day.”

What it does

HermeticWiper’s functionality is straightforward: After it’s deployed to a target system, ESET researchers said that it “abuses legitimate drivers from the EaseUS Partition Master software in order to corrupt data,” with particular emphasis on the Master Boot Record. Recovering from that kind of attack typically requires installing a new operating system.

It’s important to note that HermeticWiper doesn’t only target the Master Boot Record, however. Guerrero-Saade said in a SentinelOne analysis that the malware checks for all physical drives connected to a system, corrupts the Master Boot Record, “proceeds to enumerate the partitions for all possible drives,” and then corrupts those partitions using a “bit fiddler” function.

Or, as Guerrero-Saade put it on Twitter:

Symantec reported that “ransomware was also deployed against affected organizations at the same time as the wiper” in several attacks, and that it “appears likely that the ransomware was used as a decoy or distraction from the wiper attacks.” The wiper itself may have been meant to destroy evidence of still other attacks — like a Russian nesting doll of malware-based misdirection.

If that sounds familiar, it’s because the WhisperGate malware that Microsoft discovered in January operated similarly. IANS Research faculty member Jake Williams said during a SANS Institute webcast that Russia has a history of deploying wiper malware that uses seemingly legitimate certificates. “We’ve seen this now on multiple occasions,” he said, including with the debut of KillDisk in Ukrainian power networks in late 2015.

Wiper malware may have been deployed in Ukraine before. But it hasn’t been accompanied by Russia invading Ukraine and threatening nuclear war if anyone tries to intervene — until now.