New data wiper malware hits Ukraine targets

A new data-wiping malware known as HermeticWiper has compromised hundreds of computers in Ukraine via a series of cyber attacks, according to research released Wednesday by antimalware vendor ESET.

The malware was first seen at approximately 5 p.m. Eastern European Time (10 a.m. EST) Wednesday, hours after a wave of distributed denial-of-service (DDoS) attacks were launched against a number of Ukrainian websites primarily connected to the government.

ESET said the malware abuses legitimate EaseUS Partition Master software drivers in order to corrupt and destroy data. The malware's name, HermeticWiper, references the code-signing certificate the attackers used, issued to Hermetica Digital Ltd. The apparent shell company is based in Cyprus and was registered last year.

HermeticWiper marks the second major disk-wiping malware used against Ukraine this year. In January, Microsoft reported a series of attacks caused by WhisperGate malware, which appears as ransomware before destroying user data regardless of whether the victim attempts to pay or not.

In a blog post published Thursday, Broadcom-owned Symantec mentioned that a similar tactic is being used with HermeticWiper, which Symantec refers to as Trojan.Killdisk.

"In several attacks Symantec has investigated to date, ransomware was also deployed against affected organizations at the same time as the wiper," the post said. "It appears likely that the ransomware was used as a decoy or distraction from the wiper attacks."

Symantec said activity related to the wiper can potentially be traced back to last fall. One Ukrainian organization appeared to have been compromised as of late December before the attackers installed a web shell in January and deployed the malware on Feb. 23. In another case, a Lithuanian organization was compromised from "at least" Nov. 12 onward.

SearchSecurity asked both vendors for more details about the threat actor behind the attacks. Symantec declined to comment, and ESET did not respond.

Neither Symantec's nor ESET's research attributed the attacks to a specific threat actor. However, the wiper malware's deployment occurred as Russia began its invasion against Ukraine.

In the weeks prior to the escalation, public and private sector organizations, including the Cybersecurity and Infrastructure Security Agency, have raised awareness campaigns to help organizations and individuals prepare for possible cyber attacks from Russia.

Alexander Culafi is a writer, journalist and podcaster based in Boston.