Threat Intelligence, Threat Management

Ukraine organizations hit by new wiper malware

Ukrainians demonstrate outside the Russian Embassy against the recent invasion to Ukraine on Feb. 23, 2022, in London. (Photo by Jeff J Mitchell/Getty Images)

After Russia announced it would send troops into Ukraine under the guise of a peacekeeping mission, new wiper malware has started targeting Ukrainian enterprises Wednesday. The wiper malware follows DDoS and SMS spam attacks on Ukraine earlier in the day. Sample has also been seen in Lithuania and Latvia.

"These were large organizations that have been affected,” said Jean-Ian Boutin, head of ESET Threat Research, via email. "We cannot give attribution based on information that is available to us, but the attack appears to be related to the ongoing crisis in Ukraine."

ESET first noted the attack on Twitter Wednesday, with Broadcom Software's Symantec division confirming on the platform soon after.

“We know of at least two organizations who have been targeted," Vikram Thakur, technical director of Symantec Threat Intelligence told reporters in a statement.

Symantec has seen the wiper in Ukraine, Lithuania and Latvia, with targets of financial institutions and government contractors.

According to ESET's telemetry, the victim pool in Ukraine numbers at least in the hundreds.

Earlier this year, other wiper malware known as WhisperGate also targeted Ukraine, which the Ukrainian government attributed to Russia.

The new wiper was first seen by ESET at roughly 5 p.m. local time. ESET believes it was first deployed today.

"The wiper abuses legitimate drivers from the EaseUS Partition Master software in order to corrupt data," tweeted ESET.

Other findings from ESET include the binaries being compiled during the last days of last year, meaning that the mechanism of attack was assembled built at least six weeks ago, well before this week's announcement of peacekeeping forces. Attackers appear to have taken control of Active Directory to drop the wiper. ESET is calling the malware "HermeticWiper," which appears to be a reference to the certificate used to sign the wiper, issued to "Hermetica Digital Ltd."

If the attack is indeed Russian, to whom neither vendor has made an attribution, the malware being seen nations outside of Ukraine could raise concerns of spillover. In 2017, a Russian wiper attack on Ukraine known as NotPetya caused billions of dollars in global damage when it exceeded its initial targeting.

Joe Uchill

Joe is a senior reporter at SC Weekly, focused on policy issues. He previously covered cybersecurity for Axios, The Hill and the Christian Science Monitor’s short-lived Passcode website.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.