What is HermeticWiper – An Analysis of the Malware and Larger Threat Landscape in the Russian Ukrainian War
On February 24, the Russian-Ukrainian conflict escalated into an invasion of Ukraine by Russian armed forces. However, these hostilities were not limited to the physical domain. Cyber warfare is happening in parallel to the armed conflict, becoming an inseperable part of the hostile exchanges between these nations.
Our Threat Research team noted various cyberattacks deployed by Russia in the weeks preceding the invasion aimed at sowing chaos and disrupting communications within Ukraine’s government and military institutions. While the most publicized of these cyberattacks were the DDoS attacks, official government website take-downs, and website defacements, the most disruptive attack was a disk-wiping malware called WhisperGate which we covered in a previous post.
On February 23, one day before the larger Russian land invasion began, Ukrainian organizations were targeted by another destructive disk-wiping malware dubbed HermeticWiper designed to wipe a computer’s hard disk data and destroy the Master Boot Record and partitions, making any impacted machines inoperable.
What is HermeticWiper
HermeticWiper makes use of a driver belonging to an outdated version of EaseUS Partition Master application, developed by CHENGDU YIWO Tech Development. The attackers used a benign, digitally signed kernel driver to evade detection while utilizing the driver's ability to interact with storage devices and acquire low-level disk access for retrieving partition information, corrupting the device’s disks.
While the driver is digitally signed by ‘Hermetica Digital Ltd’ (hence the wiper name), the certificate is now revoked.
The malware stores 32-bit and 64-bit versions of the driver in MS-compressed copies within its resource section, deploying it according to the operating system version. Forensic analysis reveals that the malware has several variants, one with a timestamp dating to December 2021, indicating the attack has been 'in progress’ for quite some time.
We've observed several attacks which precede the execution of the wiper. In one case, the attackers exploited a known vulnerability in Microsoft SQL Server (CVE-2021-1636) to gain a foothold in one of the Ukrainian organizations. In a separate case, the attackers gained access to the network via malicious SMB activity against a Microsoft Exchange Server, which led to credential theft, and later to the deployment of the wiper. Several other methods were also employed, including the Apache Tomcat vulnerability, which allowed the attackers to run PowerShell commands, dump credentials, and execute the malware.
When executed, HermeticWiper will first gain higher privileges by utilizing Access Token Manipulation [T1134] and then obtain "SeBackupPrivilege" (which allows it to retrieve any file content) and "SeLoadDriverPrivilege" (which allows it to load/unload any driver). As we previously mentioned, HermeticWiper uses EaseUS signed driver in order to manipulate the disk.
Next, HermeticWiper will disable Volume Shadow Service (vss) and disable crash dumps by modifying specific registry keys, ensuring that no backups will be available and covering its tracks.
It will then enumerate the system’s physical drives. For each, it will then corrupt the first 512 bytes and destroy the Master Boot Record (MBR).
While this should be enough to make any computer inoperable, HermeticWiper doesn't stop there. It next checks for NTFS or FAT file systems and corrupts them, ensuring that systems with both MBR and GPT drives are compromised. The Wiper will then force system shutdown to complete the wiping operation.
Similar to the previous WhisperGate attack, where the wiper was disguised as ransomware, the attackers appear to be using PartyTicket ransomware as a decoy in addition to the HermeticWiper malware to distract from the wiper attacks.
Russia-Ukraine Cyber Warfare
As we mention above, Russia started its cyberattack campaign long before the armed forces invasion. However, after the HermeticWiper attack began on February 23 we’ve seen a surge in cyber warfare between the two countries.
Here is the timeline of the major events:
- Feb 23
- Ukraine’s ministry of foreign affairs and the Security Service of Ukraine (SBU) websites were taken down while Ukrainian troops received threatening SMS messages with the aim of demoralizing them by urging them to flee or be killed.
- Sandworm/VoodooBear group, both of which have previously been attributed to the Russian military intelligence service (GRU), use Cyclops Blink, a Linux malware which can extract device information and download additional payload.
- Feb 24
- The portal of the “Ministry of Agrarian Policy and Food” of Ukraine is defaced by a group named Free Civilian. The group offers databases containing sensitive government and citizens information for sale.
- The Anonymous hacking collective announced their support for Ukraine with the following message:
- Feb 25
- A massive phishing email campaign targets Ukrainian troops’ private “i.ua” and “meta.ua” accounts, delivered by UNC1151 (aka GhostWriter) which relates to officers of the “Ministry of Defence of the Republic of Belarus.”
- The infamous Conti group announces their full support the Russian government in the following blog post:
- Feb 26 - The Vice Prime Minister of Ukraine Mykhailo Fedorov announces the creation of the “IT Army,” crowdsourced offensive operations against Russian infrastructure, aimed at recruiting cyber specialists willing to help.
- Feb 27 - The LockBit ransomware group declares they will leak all victims’ data.
- Feb 28 – One of Conti group members begins leaking data from the group’s chat after their previous announcement supporting the Russian government.
Predictions and guidance
The ongoing Russian-Ukrainian conflict is already causing a significant escalation in the quantity and scope of attacks from many, disparate parties. Elevated activity is being seen from state-sponsored groups, non-state-sponsored actors, and by independent hacktivists like the Anonymous group.
The unprecedented raft of sanctions enacted against Russia may invoke further retaliation and response in the form of cyberattacks by Russian-based organized cybercrime groups and state-sponsored or contracted actors. We have already seen several cyber gangs supporting Russia threaten to use their resources to strike back against nations and organizations that may coordinate cyberattacks against Russia.
We estimate the ongoing physical conflict escalation combined with the new sanctions will lead to a higher risk profile; this will be heightened for sectors associated with sanctions and have high economic or national security value. These may include financial services, aviation and aerospace, energy, and critical infrastructure.
Following are some key points to consider or act upon given the changes in the risk profile:
- Threat actors are targeting organizations with phishing attempts related to the conflict. Security staff should remind or re-educate employees to minimize successful social engineering attempts.
- Every application in the organization can be a potential backdoor to the organization. These applications need to be updated frequently with the latest security patches. Organizations should apply a strict application control policy while limiting applications which are not critical to their business.
- Scripts are a powerful execution mechanism. There are entire industries (healthcare, for example) where most users in the organization have no need to execute scripts. Security staff should restrict scripts execution based on a user’s roles and devices.
- To ensure increased visibility, it is recommended to configure or enable additional layers of logging when and where available.
- Incident response requires considerable time and resources. The initial response of the security staff to a possible threat can make a huge difference in the overall impact of the attack impact. Trained security staff with a dedicated playbook for incident response scenarios should prevent additional infection and lateral movement inside the organization.
- In order to be as evasive as possible threat actors have learned to live-off-the-land. With the use of PowerShell and other libraries in the operating system, bad actors can stay under the radar. SOC operators should be extremely attentive to potential LOLbins attacks.
Protection from HermeticWiper with Deep Instinct
Deep Instinct prevents HermeticWiper and PartyTicket statically prior to execution, stopping it before it can deploy.
If you’d like to learn more, please request a demo.