Digital Sleuths Track Clues in Hacks on Ukrainian Government, Banks

(Bloomberg) — As missiles landed in Ukraine on Thursday morning, the country’s cybersecurity defenders were already hard at work. Prior to the Russian military invasion, hackers had launched a series of attacks aimed at disrupting Ukrainian government websites as well as banking, defense, and aviation services.

Ukraine’s State Service of Special Communication and Information Protection said it had observed on Wednesday phishing attacks on public authorities and critical infrastructure, as well as attempts to penetrate private sector networks. It said it had “unambiguously” identified Russian special services as being behind some of the efforts. 

Specialists working for Ukraine’s government worked overnight to assist some of the affected companies and government departments, according to two people involved in the work.

Researchers at the cybersecurity firm ESET LLC said they identified more than three Ukrainian organizations that were targeted on Wednesday with a destructive malware, named “HermeticWiper,” designed to corrupt computers and render them inoperable. The malware had infected a few hundred computers at those organizations, according to Jean-Ian Boutin, ESET’s head of threat research.

“This was not a widespread attack. They pinpointed specific organizations and then went in and deployed the malware,” said Boutin, who declined to name the specific organizations affected. “The fact that this happened a few hours before the full-scale invasion, it leads us to believe these organizations were targeted for a reason.”

EXPLAINER: Cyberwar, How Nations Attack Without Bullets or Bombs

The hacking tool is also capable of wiping data from affected devices, a similar capability to hacking tools that Microsoft Corp. detected in malware used against Ukrainian agencies in January.

Researchers at Symantec, a division of Broadcom Software, said that they had identified HermeticWiper malware on Wednesday targeting organizations in the financial, defense, aviation, and IT services sectors. In some cases, they said, hackers had simultaneously deployed ransomware on computers to trick victims into believing they were being extorted by criminals, when in fact the only goal was to sabotage computers.

Vikram Thakur, technical director at Symantec, said the company had identified three organizations that were hacked. One organization in Ukraine had about 50 computers infected with the destructive malware, he said. Two companies in Latvia and Lithuania – each with strong links to Ukraine and its government – had dozens of their computers breached.

There were signs the attacks had been planned several months ago, Thakur said.

Evidence suggested the Lithuanian organization had been hacked in November 2021, he said, meaning the hackers may have been waiting patiently inside its systems to activate their malware in a coordinated attack.

“The service that these organizations provide is of high value to the Ukrainian government,” Thakur said. “Targeting them is probably intended to cause longer-term disruption.”

The malware’s code was digitally signed with a certificate issued last year to a company named Hermetica Digital Ltd., according to several cybersecurity companies including ESET and Symantec. The firm shares a registered office in Nicosia, Cyprus with an art and cakes business, according to company records. Hermetica Digital couldn’t be reached for comment.

Thakur said he believed the company’s code signing certificate may have been leaked or stolen as it had previously been used to sign other files, almost all of which were unrelated to the hacking campaign in Ukraine. Researchers at cybersecurity firm SentinelOne Inc. wrote in a blog post that it was possible that the attackers had “used a shell company or appropriated a defunct company to issue this digital certificate.”

Some cybersecurity experts said the malware was basic and unsophisticated, which they warned could be a sign that worse is yet to come.

“As a nation-state sponsored group you don’t always want to use your heaviest machinery at first,” said Amit Serper, director of security research at Akamai Technologies Inc. “If all you want to do is corrupt some drives and make computers not work, there is no need to use the best weapons in your arsenal. Something quick and dirty that gets the job done will have the same effect.”

“It is quite an ominous sign,” said Serper. “But they are already bombarding buildings with rockets. So some malware that corrupts computers is maybe not the most ominous thing that is going on here.”

The Russian government has consistently denied involvement in malicious cyber activity.

 

More stories like this are available on bloomberg.com

©2022 Bloomberg L.P.

Close Bitnami banner
Bitnami