ESET researchers have discovered several new threats to the Ukrainian government, including a wormable component to HermeticWiper.
Last week, the antimalware vendor published a blog detailing the new data-wiping malware it dubbed HermeticWiper that affected hundreds of machines in Ukraine. At least five organizations in the country suffered cyber attacks as a result, and ESET noted the timing as it "preceded the Russian military invasion by a few hours."
In a new blog Tuesday, ESET said not only did it uncover a wormable component to HermeticWiper dubbed HermeticWizard, but it also detected another wiper in a Ukrainian government network it is tracking as IsaacWiper.
The most recent malware was discovered Feb. 24, one day after HermeticWiper was used in the "destructive campaign" that targeted multiple Ukraine organizations. The second attack involving IsaacWiper affected the Ukranian organization from Feb. 24 through Feb. 26, according to the blog.
Researchers are currently assessing if there is a link between the malwares.
"It is important to note that it [IsaacWiper] was seen in an organization that was not affected by HermeticWiper," the blog said.
To date, no attributions have been made and ESET has "no indication that other countries were targeted.
"However, due to the current crisis in Ukraine, there is still a risk that the same threat actors will launch further campaigns against countries that back the Ukrainian government or that sanction Russian entities," the blog said.
Part of that risk increases from the wormable malware HermeticWizard, which increases the potential for spillover attacks as seen in 2017 with NotPetya and WannaCry.
During a Recorded Future webinar Monday on the Russian invasion of Ukraine, Insikt Group threat analyst Craig Terron said the use of false flags -- specifically the use of pseudo ransomware in the HermeticWiper attack -- was reminiscent of WhisperGate in January, and NotPetya and Bad Rabbit in 2017.
In addition to new malware, ESET also observed ransomware it dubbed HermeticRansom "being used in Ukraine at the same time as the HermeticWiper campaign." One possibility researchers attribute to the timing was in order to "hide the wiper's actions."
In a tweet Tuesday, ESET said HermeticWizard was "signed using the same code-signing certificate as HermeticWiper, issued to Hermetica Digital Ltd." ESET said it assessed "with high confidence that the affected organizations were compromised well in advance of the wiper's deployment," in part because the code-signing certificate issue date was April 2021. It was not deployed on a system in Ukraine until Feb. 23.
Though the initial access vector is currently unknown, according to the blog, there are indications that the attackers may have taken control of the Active Directory.
The initial access vector remains unknown for IsaacWiper as well, but ESET observed the use of a remote access tool, RemCom, on a few machines. The worm was then used to spread the wiper in local networks.
"It has no code similarity with HermeticWiper and is way less sophisticated," the blog said.
Still, ESET said it is closely monitoring the situation and will update the blog as more information becomes available.