Ukraine: new cyberattacks against companies and networks

ESET detected a cyber attack carried out with IsaacWiper against Ukrainian organizations, while Proofpoint discovered phishing attempts.

Information attacks against Ukrainian companies and government offenders continue. ESET experts discovered a “destructive” malware similar to HermeticWiper, named IsaacWiper. Instead, Proofpoint identified a phishing attack against European government staff providing logistical support to refugees. Finally, attempts to scam users who donate cryptocurrencies were detected.

Wiper, phishing and scam

The first destructive attack was carried out with HermeticWiper, rendering hundreds of computers in at least five Ukrainian organizations unusable. The HermeticWizard worm was used to spread the wiper in corporate networks (via SMB and WMI). The third component is HermeticRansom, a ransomware exploited to encrypt files and demand a ransom. Another destructive attack was carried out with IsaacWiper. ESET has not identified the authors, but there does not appear to be any correlation with HermeticWiper (so they are cybercriminals belonging to distinct groups). However, the functionality is the same: making files on disk inaccessible. Instead, Proofpoint experts uncovered a spear phishing campaign against European government personnel providing logistical support to refugees. The emails, which appear to come from members of the Ukrainian military, contain attached a macro that hides the SunSeed malware, a downloader used to download other malware from remote servers. Finally, the scammers who try to take advantage of the opportunity to steal money from unsuspecting victims could not be missing. The Ukrainian government has raised over $ 37 million in cryptocurrencies. Someone tries to fool users with emails, websites and forum posts that appear to come from the “Help Ukraine” movement. Instead, it is a scam because donations end up in the pockets of cybercriminals.

Security Malware and Cyberwar viruses

Symantec has released an update on the wiper attack carried out against Ukraine, highlighting the use of ransomware as a decoy or a diversion. Symantec provided more details on the cyber attack on Ukraine that preceded the invasion by Russia. The software house discovered that ransomware was used as a decoy or diversion for attacks carried out with HermeticWiper.

Combined cyberattack against Ukraine

A first destructive attack on various Ukrainian organizations was carried out with WhisperGate malware about a month ago. Yesterday's was carried out with HermeticWiper (or Trojan.Killdisk) against various companies operating in the IT, finance, aviation and defense sectors. The cybercriminals exploited a Microsoft Exchange Server vulnerability to steal credentials, install a web shell, and then deploy the wiper. A Lithuanian company was also hit, but in this case the attackers exploited a Tomcat bug. Symantec found that ransomware was copied to the computers of Ukrainian companies almost at the same time as the wiper. Obviously the files have been encrypted and the traditional message appeared on the screen indicating the email addresses to contact to receive the decryptor. However, the amount of the redemption is not specified (it will almost certainly be communicated later). Symantec's products for business detect and block HermeticWiper, but more attacks could be made in the next few hours. At the moment, the perpetrators of the attacks are not known. The United States and the United Kingdom instead attributed last week’s DDoS attack to the GRU (Chief Directorate for Intelligence of the Russian Federation). It is therefore very likely that the authors are the same.