A novel data wiper malware has been discovered on an undisclosed Ukrainian government network, a day after various institutions in the nation were hit by catastrophic cyber strikes before Russia’s military incursion. It has been dubbed “IsaacWiper” by ESET, a Slovakian cybersecurity firm. This malware was discovered on February 24 in an organization that was not affected by HermeticWiper (aka FoxBlade), a data-wiping malware that attacked multiple entities on February 23 as part of a sabotage operation aimed at rendering the machines unusable.
Further investigation into the HermeticWiper attacks, which infected at least five Ukrainian organizations, has revealed a worm component that spreads the malware across the compromised network and a ransomware module that serves as a “distraction from the wiper attacks,” confirming a previous Symantec report. “These destructive attacks leveraged at least three components: HermeticWiper for wiping the data, HermeticWizard for spreading on the local network, and HermeticRansom acting as a decoy ransomware,” the company said.
According to a different investigation of the new Golang-based ransomware, nicknamed “Elections GoRansom” by Russian antivirus firm Kaspersky, it was “likely used as a smokescreen for the HermeticWiper attack due to its non-sophisticated style and poor implementation.” HermeticWiper is also meant to obstruct analysis by erasing itself from the disk by overwriting its file with random bytes as an anti-forensic tactic.
The malware artifacts show that the intrusions were planned for several months, not to mention the fact that the targeted businesses were compromised well before the wiper’s deployment, according to ESET, which found “any tangible connection” to ascribe these attacks to a recognized threat actor.
The original access routes used to deploy both wipers are also unclear. However, it’s thought that the attackers employed lateral movement and malware distribution tools like Impacket and RemCom, a remote access program. Furthermore, IsaacWiper has no code-level similarities with HermeticWiper and is far less complex, even though it attempts to identify all physical and logical drives before performing file wiping operations.