Second IsaacWiper wiping attack detected against Ukrainian government network that began shortly after Russian military invasion
ESET, a global leader in the cybersecurity market, is reconstructing the offensive campaigns against Ukrainian organizations implemented in this last period. As the Russian invasion got underway, ESET researchers discovered two new families of wiper malware targeting Ukrainian organizations. The first cyberattack began a few hours before the Russian military invasion, as ESET Research reported on its Twitter account, and after DDoS (distributed denial-of-service) attacks against major Ukrainian websites earlier in the day on February 23.
These destructive attacks exploited at least three components: HermeticWiper for data deletion, HermeticWizard for spreading over the local network, and HermeticRansom acting as ransomware decoy. Malware artifacts suggest the attacks had been planned for several months.
A second destructive attack against a Ukrainian government network began on February 24, via a wiper that ESET Research called IsaacWiper.
"Regarding IsaacWiper, we are evaluating its links, if any, to HermeticWiper. It is important to note that it was identified in a Ukrainian government organization that was not affected by HermeticWiper," he explains Jean-Ian Boutin, ESET Head of Threat Research.
ESET researchers believe it is highly likely that the affected organizations were compromised well before the wiper was deployed. “This belief is based on several elements: the earliest build timestamps of HermeticWiper PE date back to December 28, 2021; the issue date of the code signing certificate is April 13, 2021; and the deployment of HermeticWiper through the default domain policy, in at least one case, suggests that the attackers had access to one of the victim's Active Directory servers,” continues Boutin.
IsaacWiper was detected in ESET telemetry on February 24. The oldest PE compilation timestamp was October 19, 2021, meaning that if its PE compilation timestamp was not tampered with, IsaacWiper may have been used in previous operations as early as months earlier.
In the case of HermeticWiper, ESET observed lateral movement artifacts within the affected organizations and that the attackers likely took control of an Active Directory server. A custom worm that ESET researchers named HermeticWizard was used to spread the wiper across compromised networks. For the second wiper – IsaacWiper – the attackers used RemCom, a remote access tool, and perhaps Impacket to move around the network.
Additionally, HermeticWiper erases itself from disk by overwriting its own file with random bytes. This anti-forensics measure is likely intended to prevent post-accident wiper analysis. The HermeticRansom decoy ransomware was distributed at the same time as HermeticWiper, likely in order to hide the wiper's actions.
Just a day after the release of IsaacWiper, attackers deployed a new version with debug logs. This could indicate that the attackers were unable to wipe some of the target machines and added log messages to understand why.
ESET Research has not yet been able to attribute these attacks to a threat actor due to the code's lack of any meaningful similarity to other samples in ESET's malware database.
The term “Hermetic” comes from Hermetica Digital Ltd, a Cypriot company that was issued the code signing certificate. According to a Reuters report, it appears that this certificate was not stolen from Hermetica Digital while it is likely that the attackers impersonated the Cypriot company to obtain this certificate from DigiCert. ESET Research has asked the issuing company DigiCert to immediately revoke the certificate.
