HermeticWiper: What We Know About New Malware Targeting Ukrainian Infrastructure (Thus Far)
As geopolitical tensions continue to mount, reports are emerging of a new wiper malware targeting Ukrainian infrastructure, such as government departments. Symantec and ESET research first tweeted about the new strain, dubbed HermeticWiper, on February 23. The malware has since been observed in the neighboring countries of Latvia and Lithuania. This follows a string of distributed denial-of-service (DDoS) cyber attacks and other recent threats in the region.
CyberArk Labs is closely following this unfolding situation. The HermeticWiper infections observed thus far appear to follow a familiar path: initial foothold achieved by exploitation of external-facing servers and compromised identities leveraged to move laterally. And, as is so often the case, privileged access appears to play a critical role in these attacks.
Based on initial analysis, the team has identified some specific characteristics of the malware:
- Attacks are highly targeted: So far, the HermeticWiper attacks have been highly targeted. Specifically, the distribution of the wiper does not seem to be leveraging supply chain vulnerabilities or other “super-spreader” techniques to scale the attacks. This means that infection will not quickly spill to other geographies. However, initial analysis of the wiper does not reveal scoping parameters such as keyboard language settings, clock time zone, external IPs, etc., meaning the malware — or variants of the malware — may eventually spread to other targets in other countries.
- Deployment requires privileged admin rights: The wiper leverages high privileges on the compromised host to make the host “unbootable” by overriding the boot records and configurations, erasing device configurations and deleting shadow copies (backups). Similar tactics were observed in the 2017 NotPetya ransomware attacks, which also targeted Ukrainian infrastructure initially.
- Active Directory can be used as a launchpad: In one reported case, the wiper software deployed using Active Directory group policy, which means the threat actors had privileged access to Active Directory. This scenario is more commonly used in targeted, human-operated incidents, such as the 2021 Kaseya ransomware supply chain attack.
- Identity compromise is critical: It appears that the wiper is configured to NOT encrypt domain controllers. This allows the domain to keep running, enabling the wiper software to utilize valid credentials to authenticate to servers and encrypt those. This highlights the critical role of identity in these attacks. By stealing or abusing the identities and credentials of employees or authorized third parties, threat actors can access the target network and/or move laterally.
Because HermeticWiper requires the compromise of identities and the abuse of privileged credentials, risk mitigation efforts should focus on endpoint privileged access controls, such as the removal of local admin rights and credential theft protection. Highly privileged credentials, such as those for Active Directory and other Tier 0 assets, should be protected to help prevent lateral movement and network infection.
CyberArk Labs continues to seek new samples and variants of this malware and will share the results of additional testing and analysis as it becomes available.