New worm and data wiper malware seen hitting Ukrainian networks

Newly discovered malware was deployed in destructive attacks against Ukrainian organizations and governmental networks before and after Russia invaded the country on February 24.

While analyzing these attacks, ESET Research Labs analysts discovered a new data wiper they dubbed IsaacWiper.

They also spotted a new worm named HermeticWizard used to drop a second wiper known as HermeticWiper with the help of WMI and SMB spreader modules.

These new malware strains haven’t been attributed to any known threat actors by ESET researchers, who also said they have yet to find links to other malware samples.

“With regard to IsaacWiper, we are currently assessing its links, if any, with HermeticWiper. It is important to note that it was seen in a Ukrainian governmental organization that was not affected by HermeticWiper,” said ESET Head of Threat Research Jean-Ian Boutin.

HermeticWiper and IsaacWiper were also deployed in separate campaigns, the first observed on February 23, hours before the start of the invasion, spread using HermeticWizard across local networks together with the Go-based HermeticRansom ransomware.

IsaacWiper was used in a second series of attacks against a Ukrainian governmental network on February 24 and was found on a Ukrainian governmental network.

Targeted destructive malware attacks

Before the newly discovered HermeticWiper malware was dropped together with HermeticRansom decoys to render devices unbootable earlier this month, Ukraine was also struck in January by another series of destructive malware attacks deploying the WhisperGate wiper, also disguised as a ransomware payload.

“At this point, we have no indication that other countries were targeted,” the ESET researchers said. “However, due to the current crisis in Ukraine, there is still a risk that the same threat actors will launch further campaigns against countries that back the Ukrainian government or that sanction Russian entities.”

Over the weekend, CISA and the FBI warned US orgs that the data wiping attacks against Ukraine could accidentally spill over to other countries’ networks.

Researchers with the Microsoft Threat Intelligence Center (MSTIC) also reported observing malware attacks targeting Ukraine and spotting HermeticWiper (which they track as FoxBlade).

These ongoing cyberattacks against Ukrainian organizations “have been precisely targeted,” Microsoft President and Vice-Chair Brad Smith said.

This contrasts to the indiscriminate malware assaults impacting Ukraine’s and other countries’ networks and economies during the 2017 NotPetya worldwide attack that was later linked to Sandworm, a Russian GRU Main Intelligence Directorate hacking group.

These destructive attacks are part of a “massive wave of hybrid warfare,” according to a press release issued by the Ukrainian Security Service (SSU) right before the war started.

You can find more technical information regarding the newly uncovered IsaacWiper data wiper and HermeticWizard worm together with indicators of compromise in ESET Research Labs’ report.

Call us or email us today to see how we can help!

Make Our IT Department your IT Department!

662-686-9009 |