Second Wiper Attack Strikes Systems in Ukraine and Two Neighboring Countries

KYIV, UKRAINE - People hold signs and chant slogans during a protest outside the Russian Embassy on February 22, 2022 in Kyiv in anticipation of an invasion from Russia. (Photo by Chris McGrath/Getty Images)

Second Wiper Attack Strikes Systems in Ukraine and Two Neighboring Countries
Zero Day, February 23, 2022
By Kim Zetter

“The wiper, dubbed HermeticWiper, struck a bank in Ukraine as well as machines in Latvia and Lithuania belonging to two contractors that work with the Ukrainian government.”


For the second time in two months, a destructive wiper attack struck computer systems in Ukraine as well as in two neighboring countries, according to researchers at two security companies who discovered the wiper Wednesday afternoon as it infected the machines.


ESET, a security firm based in Slovakia that was the first to report the malware, indicated that it found the wiper on “hundreds of machines” in Ukraine, but didn’t identify the victims or specify how many companies or organizations this involved.


Symantec, a division of U.S.-based Broadcom Software, reported that it had found the wiper malware on about 50 systems belonging to a bank in Ukraine as well as on systems belonging to two different contractors that do work for the Ukrainian government, according to Vikram Thakur, technical director of Symantec’s threat intelligence team. Symantec later published a blog post about the attack and revealed it had found additional victims in the defense, aviation, and IT services sectors.


One contractor has offices in Ukraine and Latvia, the other has offices in Ukraine and Lithuania, according to Thakur, who added that they found infections only on the contractors’ machines in Latvia and Lithuania and didn’t find any infections on the companies’ machines in Ukraine.


“This looks extremely targeted,” Thakur told Zero Day. “This is not going after all Ukrainian organizations, but ones that do specific roles that support the Ukrainian government. So the actors don’t care where the organizations physically are located.”


He declined to identify what kind of work the contractors do and says it’s too early to say whether the attackers siphoned data from the systems before wiping them.


The wiper, dubbed HermeticWiper, appears to have been in the works for months but was only released on computers today. It follows on a previous wiper attack that struck Ukrainian systems in January called WhisperGate. Like that previous infection, HermeticWiper is designed to overwrite files on systems to render them inoperable.


But Juan Andrés Guerrero-Saade, principal threat researcher at SentinelOne, whose team also examined the malware, said HermeticWiper is a much better and more efficient wiper than WhisperGate was and appears to have been more carefully crafted, suggesting that two different teams may have developed the wiper programs.


“I was kind of surprised WhisperGate worked,” he told Zero Day, based on how it was written. “In comparison [HermeticWiper] is reminiscent of Destover and Shamoon.” Destover is a wiper that was launched by North Korea against Sony Pictures in 2014, wiping systems across the company simultaneously while Shamoon is a wiper attributed to Iran that struck Saudi Aramco in 2012, wiping data from more than 30,000 machines.

Read the Full Article »

About the Author:

Kim Zetter is a journalist covering cybersecurity and national security. Author of Countdown to Zero Day: Stuxnet and the Launch of the World’s First Digital Weapon