Russia-Ukraine cyber war: A look at DDoS attacks, HermeticWiper malware

Early January: ShuckWorm Group 

Cybersecurity firm Symantec reported that the Russia-linked ShuckWorm group (also known as Gamaredon, Armageddon) was “continuing to conduct cyber-espionage attacks against targets in Ukraine.” The cybersecurity firm noted in a blog post dated January 31 that they had “found evidence of attempted attacks against a number of organisations in the country.” The group primarily uses “phishing emails” as it tries to distribute malware to devices, including those capable of remotely manipulating devices. The attacks were reportedly ongoing since July 2021.

Cyberattacks against Ukrainian websites

On February 16, a series of cyberattacks knocked the websites of some ministries, some major banks and the Ukrainian army off the internet. At least 10 Ukrainian websites were unreachable because they were victims of a DDoS attack, where attackers use a network of computers to send a massive influx of requests to a server or web resource, rendering it unable to serve actual user requests.

HermeticWiper malware

On February 23, the Threat Hunter team at Symantec and researchers at cybersecurity company ESET announced the discovery of a new malware called “HermeticWiper”. This was named after the false digital certificate used to sign the file, which is issued under the name of a company named Hermetica Digital Ltd. This is wiper malware which means it is designed to wipe the hard drives or system storage of the systems it infects.

According to ESET researchers, the malware used against Ukrainian targets misused legitimate drivers of popular disk management software to corrupt data on the infected machine. The wiper was used to target Ukrainian organisations and according to ESET in at least one case, the threat actors had access to a victim’s network before unleashing the malware.

HermeticWiper works by first corrupting the Master Boot Record (MBR) for every physical drive. The MBR is a boot sector at the very beginning of partitioned hard drive storage that holds information on how the file system and partitions are organised in the particular drive. While that is enough to make the drive unbootable, it goes on to make the data unrecoverable by using bit manipulation to corrupt all the data in the drive. Finally, the malware initiates a system shutdown, finalising its effects on the system.

Due to this attack, customers of Privatbank, Ukraine’s largest state-owned bank, and Sberbank, another state-owned bank reported problems with online payments and the banks’ applications. The hosting provider for Privatbank and the Ukrainian army were among the attackers’ targets.

Anonymous declares war against Russia

On February 25, hacker group Anonymous declared a cyberwar against the Russian government. Since then, the group has claimed credit for a series of DDoS attacks that rendered many Russian sites, including various government websites and the website of Russia Today, a state-controlled international television network funded by the tax budget of the Russian government, unserviceable.

According to an AFP report, Anonymous also left messages on the Russian websites asking Russian users to put an end to the war. Anonymous’s Twitter handle is also referring to these operations against Russia and has posted several tweets of alleged attacks.

We do not steal from the people. https://t.co/yubseb4ODE

— Anonymous (@YourAnonNews) February 28, 2022

Meanwhile, a video claiming to be from Anonymous, threatening to withdraw money from Russian bank accounts if they don’t protest, has been called out as fake. The Twitter handle also posted that they do not steal from people and that such claims were fake.