A new malware called HermeticWiper (aka KillDisk.NCV) is actively used in the context of the escalation of the military conflict in Ukraine for cyberattacks targeting government and private organizations, affecting decision-makers, technical personnel, and ordinary users.
Symantec and ESET research first tweeted about the new strain, dubbed HermeticWiper, on February 23. The malware has since been observed in the neighboring countries of Latvia and Lithuania. This follows a string of distributed denial-of-service (DDoS) cyber-attacks and other recent threats in the region.
HermeticWiper is a small executable, approximately 115KB, digitally signed with a certificate issued to “Hermetica Digital Ltd” and valid from April 2021 to April 2022.
The malware uses a legitimate driver (associated with the EaseUS Partition Master software) to corrupt data on hard disks, including the Master Boot Record (MBR) area. The final step of the HermeticWiper attack is to inactivate the victim’s computer by restarting it.
Based on the initial analysis, the team has identified some specific characteristics of the malware:
- Attacks are highly targeted: So far, the HermeticWiper attacks have been highly targeted. Specifically, the distribution of the wiper does not seem to be leveraging supply chain vulnerabilities or other “super-spreader” techniques to scale the attacks. This means that infection will not quickly spill to different geographies. However, initial analysis of the wiper does not reveal scoping parameters such as keyboard language settings, clock time zone, external IPs, etc., meaning the malware — or variants of the malware — may eventually spread to other targets in other countries.
- Deployment requires privileged admin rights: The wiper leverages high privileges on the compromised host to make the host “unbootable” by overriding the boot records and configurations, erasing device configurations, and deleting shadow copies (backups). Similar tactics were observed in the 2017 NotPetya ransomware attacks, which initially targeted Ukrainian infrastructure.
- Active Directory can be used as a launchpad: In one reported case, the wiper software deployed using Active Directory group policy, which means the threat actors had privileged access to Active Directory. This scenario is more commonly used in targeted, human-operated incidents, such as the 2021 Kaseya ransomware supply chain attack.
- Identity compromise is critical: It appears that the wiper is configured NOT to encrypt domain controllers. This allows the domain to keep running, enabling the wiper software to utilize valid credentials to authenticate to servers and encrypt those. This highlights the critical role of identity in these attacks. By stealing or abusing the identities and credentials of employees or authorized third parties, threat actors can access the target network and/or move laterally.
Because HermeticWiper requires the compromise of identities and the abuse of privileged credentials, risk mitigation efforts should focus on endpoint privileged access controls, such as removing local admin rights and credential theft protection. Highly privileged credentials, such as those for Active Directory and other Tier 0 assets, should be protected to help prevent lateral movement and network infection.