Isaac Wiper is the name of the new malware identified by Eset. It hit government networks in Kiev. All the details
The cyber front continues to expand in the war in Ukraine. It is called Isaac Wiper, the new malware detected in attacks on government organizations in Ukraine. In fact, it comes after Hermetic Wiper, the malware used in recent days in actions against Ukrainian government agencies and banks. This type of malware can destroy the data on a device, also undermining the correct functioning of the running operating system. "The discovery is made by researchers from the security company Eset, for the moment there is no evidence of similar incidents beyond the borders of that country," Ansa reports today. And just yesterday Microsoft announced that it had traced another virus called FoxBlade, which appeared in the cybernetic scenario just before the hours in which Russia invaded Ukraine. The initial HermeticWiper / FoxBlade attacks targeted organizations "predominantly located in or connected to Ukraine" on February 23, Microsoft said on the blog. Other researchers noted that HermeticWiper struck Ukrainian organizations several hours before the Russian invasion of Ukraine. In the wake of wiper attacks such as HermeticWiper, the FBI and the Federal Agency for Cyber Security and Infrastructure (CISA) in the US have issued a warning that wiper malware observed in Ukraine may also impact organizations outside the country. . But the alert for cyber attacks is also highest in Italy. In relation to the evolution of the conflict in Ukraine and the resulting geopolitical situation, today the National Cybersecurity Agency again recommends all national digital infrastructure operators to "raise the level of attention". All the details. HOW ISAAC WIPER MALWARE WORKS IN UKRAINE According to Eset experts, Isaac Wiper is composed of a phase that infects local networks, then a ransomware that takes devices hostage but also acts as a diversion. “As for IsaacWiper, we are currently evaluating his possible links to HermeticWiper. It is important to note that we have found IsaacWiper in a Ukrainian government organization not influenced by the former HermeticWiper, ”said Jean-Ian Boutin, Head of Threat Research at Eset. In a new blog post, the company said the IsaacWiper attack probably "began shortly after the Russian military invasion and hit a Ukrainian government network." AT THE MOMENT THE ATTRIBUTION IS NOT KNOWN There is, at the moment, no evidence attributing these cyber-attacks to Russia. "The tools suggest that the attacks have been planned for many months," experts say from Eset. At the moment it is not known as an attribution to a specific hacker group. THE ALARM FROM THE ITALIAN NATIONAL CYBER AGENCY Close to the conflict, two other 'wiper' type viruses were identified, which delete data and render the infrastructures unusable, on which the Italian Cybersecurity Agency has also sounded the alarm. Right on the day of the Russian attack on Ukraine, the National Cybersecurity Agency invited Italian companies and administrations to "urgently implement the available compromise indicators" on the CSIRT website (the incident response team that operates within the Agency). In addition to "raising the level of attention by adopting as a priority the mitigation actions" reported. THE NEW CSIRT ALERT And today the Csirt has issued a new alert. "Security researchers have detected the spread of new malware against Ukrainian organizations," the site reads. In detail, these are: IsaacWiper, “wiper” type malware; HermeticWizard, malware whose task is to distribute “wipers” on a local network via WMI and SMB and HermeticRansom, ransomware (written in the Go language). SUGGESTED MITIGATION ACTIONS Finally, the CSIRT concludes with the suggested mitigation actions. "Where not already done and in addition to the adoption of best practices in the field of cybersecurity, it is recommended to implement the compromise indicators available in the annex", the website reads. "And to raise the level of attention by adopting as a priority the mitigation actions listed in the previous publications of this CSIRT".