Starting on the day of Russia’s invasion of Ukraine and continuing through Saturday, a series of data-wiping cyberattacks struck a Ukrainian governmental organization using a different type of malware from the earlier wiper attacks in the country, researchers at cybersecurity firm ESET disclosed.
This second wave of destructive cyberattacks began on Thursday, February 24, and continued through Saturday, February 26, ESET researchers said in a blog post today.
This three-day series of attacks followed the previously reported “HermeticWiper” attacks that took place on Wednesday, February 23. Those wiper attacks had occurred “a few hours” prior to Russia’s invasion of Ukraine, and impacted at least five organizations in the country, the researchers said.
For the second wave of attacks, a newly discovered type of wiper malware — dubbed “IsaacWiper” by ESET — was deployed. And as another difference, just a single Ukraine governmental organization was targeted in these attacks.
The affected government agency was not identified. “To protect the victims and not to give advantage to the attackers, we cannot disclose more specifics,” said Jean-Ian Boutin, head of threat research at ESET, in an email statement to VentureBeat.
ESET did specify that the Ukranian organization affected by IsaacWiper had not been targeted in the first wave of attacks using HermeticWiper, which would appear to rule out Ukraine’s defense ministry.
The disclosure of an additional wave of wiper attacks in Ukraine suggests that the level of cyberwarfare occurring in the country may be higher than previously realized, said John Bambenek, principal threat Hunter at IT and security operations firm Netenrich.
The revelation makes it clearer that right now, “inside Ukraine is essentially a ‘free-fire zone’ when it comes to cyberattacks,” Bambenek said in an email — referring to the military term for a war zone where firing weapons can be done essentially at will.
The disclosure also suggests that looking ahead, “we will see more sabotage, which is essentially what wipers are,” Bambenek told VentureBeat. “Some of this could be military and intelligence, some could be independent non-state actors.”
It’s not clear if there’s a direct connection between the earlier wiper malware and IsaacWiper. “With regard to IsaacWiper, we are currently assessing its links, if any, with HermeticWiper,” Boutin said in a news release.
IsaacWiper “has no code similarity with HermeticWiper and is way less sophisticated,” ESET researchers said.
ESET also did not attribute either HermeticWiper or IsaacWiper. “At this point, we have not found any tangible connection with a known threat actor,” the researchers said.
Few cyberattacks that have occurred in recent weeks amid Russia’s aggressions against Ukraine have been attributed. In January, after more than 70 Ukrainian government websites were targeted with the new “WhisperGate” family of malware, Ukraine blamed Russia for the attacks.
And with the massive distributed denial-of-service (DDoS) attacks on February 15 that struck Ukranian military websites and banking web services, the U.S. and U.K. have attributed the attacks to Russia.
No code similarity
HermeticWiper — as well as a worm used for spreading the wiper (HermeticWizard) and decoy ransomware (HermeticRansom) — “do not share any significant code similarity with other samples in the ESET malware collection,” the ESET researchers said. “IsaacWiper is still unattributed as well.”
IsaacWiper, which is found in “either a Windows DLL or EXE with no Authenticode signature,” showed up in ESET telemetry on Thursday, February 24, according to the researchers. The initial access point for IsaacWiper is unknown, they said.
Then on February 25, the threat actor behind IsaacWiper dropped a new version of the malware containing debug logs, possibly indicating that the attackers were “unable to wipe some of the targeted machines and added log messages to understand what was happening,” the company said in its news release.
Notably, IsaacWiper recursively wipes files “in a single thread, meaning that it would take a long time to wipe a large disk,” the researchers said.
While only appearing in ESET telemetry on February 24, there are signs that IsaacWiper may have been utilized as early as October 19, 2021, they said.
ESET, along with Symantec, disclosed details on the wiper malware that came to be known as HermeticWiper on Wednesday, February 23. ESET posted details on Twitter, which it has followed up with its more in-depth blog post today.
The destructive malware affected Ukraine’s defense ministry as well as financial, aviation and IT services companies in the country, according to reports. HermeticWiper was spotted on “hundreds of systems” across at least five different organizations in Ukraine, according to ESET researchers.
HermeticWiper notably attempts to cover its tracks once its work is done, wiping itself from the affected disk by “overwriting its own file with random bytes,” the researchers said.
Currently, ESET, which is based in Bratislava, Slovakia, has no evidence that countries outside of Ukraine have been targeted with either wiper.
“However, due to the current crisis in Ukraine, there is still a risk that the same threat actors will launch further campaigns against countries that back the Ukrainian government or that sanction Russian entities,” the researchers said in the blog post.
Citing a well-known security expert, The Washington Post and VentureBeat reported on Sunday that data-wiping malware had struck a Ukraine border control station in prior days — forcing border agents to process refugees fleeing the country with pencil and paper and contributing to long waits for crossing into Romania.
The security expert, HypaSec CEO Chris Kubecka, who was in Ukraine to assist in the event of a cyberattack against a nuclear power facility, learned the details of the wiper attack by speaking with Ukrainian agents at the affected border crossing at Siret, Romania. Kubecka told VentureBeat and Cybercrime Magazine that she has been attempting to obtain a sample of the data-wiping malware for researchers to examine.
Kubecka told VentureBeat on Tuesday that she and other collaborators have had “no success so far” in acquiring a sample of the malware. The cyberattack on the Ukraine border control station was first reported by the Washington Post. The State Border Guard Service of Ukraine and the Security Service of Ukraine have not responded to email messages inquiring about the attack.
Overall, “recent and ongoing cyberattacks [in Ukraine] have been precisely targeted,” Microsoft president Brad Smith said in a blog post on Monday. Smith noted that the use of “indiscriminate malware technology,” such as in the NotPetya attacks of 2017, has not been observed so far.
However, “we remain especially concerned about recent cyberattacks on Ukrainian civilian digital targets, including the financial sector, agriculture sector, emergency response services, humanitarian aid efforts, and energy sector organizations and enterprises,” Smith wrote. “These attacks on civilian targets raise serious concerns under the Geneva Convention, and we have shared information with the Ukrainian government about each of them.”
The fourth Geneva Convention is focused on treatment of civilians in war situations. Smith did not specify which incidents he was referring to in the blog when he mentioned cyberattacks that have raised “serious concerns under the Geneva Convention.”
For HermeticWiper and IsaacWiper, Boutin told VentureBeat that “primarily, the targets have been in governmental sector.”
“These were targeted attacks,” he said.