Should we prepare for an escalation of the Ukrainian conflict?

Asymmetric warfare and its consequences 

Since geopolitical tensions will probably remain high for some time, it is likely that countries whose governments actively support either Ukraine or Russia will be the target of cyberattacks. As the list of sanctions grows, so does the spectre of retaliation. But beyond retaliation, cyberattacks can go beyond their original scope. Like NotPetya, which had a colossal global impact but for which we do not know whether it got out of hand or whether its global spread—when it did cross the boundaries of its initial geographic territory—was orchestrated. This spread was made possible by the joint use of a vulnerability and a supply chain attack. Indeed, sophisticated attacker groups often use third parties to reach prime targets. Recent compromises of administration tools such as SolarWinds, Orion, Kaseya Virtual System Administrator, or Centreon are well known.

Several national cyber security teams, such as the French ANSSI or the British National Cyber Security Centre, have issued warnings and advice to deal with a possible resurgence of cyber threats. This advice should go beyond the borders of their issuing countries and be seen as essential to protect and mitigate both risks and impacts. The aim is to increase the level of protection for all companies, especially those with low cyber maturity and those that consider themselves to be remote from the geopolitical game and thus become easy targets.

APT actors active since the beginning of the conflict

Since at least 2014, critical infrastructure, the public sector, and businesses have been regular targets of advanced attacks in Ukraine. Both for the symbolic value they represent and for the destabilising effects achieved. The objectives of theses attacks range from information gathering to espionage and outright sabotage. The methods are consistent with those of APT groups and the targets are diverse, with both state and private organisations. One of them, Industroyer, remains a case study. This attack combines the following characteristics: APT attack; complete arsenal; prepared, silent, and persistent operation; and mastery of the language of driving industrial equipment such as circuit breakers.

Sabotage by data erasure: the more radical recent attacks

Four attacks share the same objective: the logical destruction of the targeted machines. Following the WhisperGate malware that appeared in January 2022, let us analyse in detail three campaigns that were launched from 23 February 2022.

The first one—called HermeticWiper—comes in 3 components: the wiper (deletes data from machines), the deployment tool (HermeticWizard), and a ransomware decoy (HermeticRansom). At this stage, we have not found any tangible link to a known modus operandi. HermeticWiper, HermeticWizard, and HermeticRansom show no significant code similarities to other malware in our collection (of over 3 petabytes). HermeticWiper and HermeticWizard are signed by a certificate attributed to Hermetica Digital Ltd and issued on 13 April 2021. According to a Reuters report, it appears that this certificate was not stolen from Hermetica Digital. We can assume that the attackers posed as a Cypriot company to obtain this certificate legitimately. Thus, we believe—with a high degree of certainty—that the affected organisations were compromised long before the wiper was deployed. This is based on several facts:

• The HermeticWiper PE compilation timestamps, the oldest being 28 December 2021;
• The code-signing certificate issue date of 13 April 2021; and
• The deployment of HermeticWiper through GPOs (manual operation) in at least one instance, which suggests that the attackers had prior access to one of that victim’s Active Directory servers.

The second campaign is based on IsaacWiper, which appeared in our telemetry on 24 February 2022. The oldest compilation timestamp we found was 19 October 2021. If it has not been tampered with, IsaacWiper could have been used in previous operations several months earlier. It has no code similarity with HermeticWiper and is way less sophisticated. Given the timeline, it is possible that both are related but we have not found any strong connection yet.

The third campaign is called CaddyWiper. This malware was first detected at 11:38 local time on Monday 14 March 2022. The wiper has been detected on several dozen systems in a limited number of organisations. Its analysis is still ongoing.

Launched in close proximity to each other, these data erasure sabotage campaigns have—to date—no proven code similarities, nor are they attributable to one single modus operandi. They add to the long list of attacks on Ukrainian territory since at least 2014, with the particularity of seeking to destroy and disable their targets, leaving aside the financial motivations of the ransomware of recent years.

Preparing for cyberattacks, again; raising awareness, again and again

Being subjected to a cyberattack is very stressful and confusing, both for the company and its staff. The road to protect oneself is long and bumpy; it requires to take along all actors with access to digital tools. On this road, we encounter individuals who have already upgraded: the cyber crooks. You will no longer see messages trying to get past spam filters by surfing on the theme of COVID or the sale of masks. As one crisis leads to another, sites supporting the victims of the conflict are flourishing and looking for generous donors. The number of domain name registrations containing “Ukraine” is rising sharply, with their sites displaying images that play on our emotions to convince us to help the victims. On social media, other schemes seek to extract cryptocurrencies from us. As long as the crisis is in the headlines around the world, scammers will continue to look for ways to exploit the misery of war-affected people for their own gain. The worst part is that falling for a charity scam affects not only you, but also the recipients of the aid, which makes this type of fraud all the more deplorable.

However, mutual aid exists and is a reality. Many companies are providing support to the population, and companies in the world of cybersecurity and IT are mobilising. We have decided to publish as much of our research as possible in open sources, so that it can benefit as many people as possible. The markers are available in our white papers and on our GitHub https://github.com/eset/malware-ioc/search?q=ukraine. These elements are immediately actionable—in the form of indicators or YARA rules—to protect ourselves or to search for traces of threats within information systems.