Russian-linked malware cyberattacks: what you need to know about Hermetic Wiper and Cyclops Blink
These wiper attacks are designed to identify and destroy data housed on infected machines and appears to be consistent with similar DDoS attacks against the nation during this period. The US Cybersecurity & Infrastructure Security Agency (CISA) issued a “Shields Up” advisory in the wake of these attacks, while the UK’s National Cyber Security Centre (NCSC) advised British organizations to prioritize and strengthen their cyber resilience.
At the same time, new Russian-linked malware has emerged and has already infected the devices of networking hardware company WatchGuard. These devices may not be the primary target but do enable the actor behind this malware to infect other devices or launch attacks on other servers.
This advice is predominantly aimed at US-based organizations, though Outpost24’s advice would be for all organizations to take such advice on board in light of current geopolitical circumstances to ensure a robust cybersecurity posture–particularly when it comes to protecting against supply chain incidents that are increasingly common and could surface as a result of the ongoing conflict. For WatchGuard device users, our advice is to disconnect all devices with an internet-facing management interface until the proposed remediation steps have been completed.
In this article, we will analyze these Russian-linked malware attacks, the alleged group behind them, and offer guidance on how organizations can tighten their security exposure to such threats.
HermeticWiper is the name given to the data wiper used in the initial cyberattacks against Ukraine. It is understood to be laterally targeting Windows devices in a bid to manipulate the systems, cause boot failure and ultimately disable computers and devices.
This is an attack vector favored by Russian threat groups and is reminiscent of the infamous NotPeya attack which caused similar destruction in Ukraine (and in other regions globally) in 2017.
First identified on February 23, 2022, HermeticWiper achieves its goal by running legitimate drivers from the EaseUS Partition Master software which it uses to enable low-level disk operations. From there, HermeticWiper disables the Volume Shadow Copy Service (VSS) and destroys itself by overwriting its own file with random data bytes. This ensures that the malware not only wreaks the intended havoc, but also leaves little-to-no fingerprints should a post-incident analysis occur. In this process it also destroys the Master Boot Record, and the partition tables present on the physical disks, rendering the device unusable.
HermeticWiper is believed to be spread by HermeticWizard, a worm component designed to identify and spread the wiper into separate compromised networks.
In conjunction, another data wiper has been identified as being used against Ukraine. The second wiper, dubbed IsaacWiper, was first reported by ESET on Tuesday 1st March, though our Threat Intelligence team believes that this malware predates HermeticWiper.
At the time of writing, HermeticWiper has spread across hundreds of machines throughout Ukraine and taken down core government and financial digital infrastructure in the region in the form of websites and online portals.
On another front, a new malware dubbed Cylcops Blink has surfaced, believed to be a replacement for the VPNFilter malware that is commonly attributed to the Sandworm group. The group has so far targeted WatchGuard’s network-enabled hardware, though this does not prove the organization is the final target; the attackers may conduct further attacks separately or from the infected WatchGuard devices. Sandworm is likely to utilize this malware for other architectures and firmware, though at the time of writing there is no evidence to suggest Cyclops Blink is being used alongside the recent HermeticWiper attacks in Ukraine.
Sandworm is a threat actor group heavily associated with the recent attacks in Ukraine, and considered one of the most dangerous current hacking groups active today. Believed to have orchestrated the previously mentioned NotPetya attack, this group also rose to infamy following a series of attacks against the 2018 Winter Olympics, a spear-phishing campaign against world leaders, multiple other attacks against Ukraine and Georgia over the past 15 years.
Our threat intelligence company Blueliv's research below outlines the TTPs of Sandworm’s attacks in the MITRE ATT&CK framework, most notably its reliance on phishing campaigns and the exploitation of public-facing applications and valid accounts to escalate its attacks from the reconnaissance and development phases to initial access ahead of execution.
The Outpost24 Group’s advice to businesses
To ensure your organization have a robust cybersecurity posture in the face of these emerging Russian-linked threats, we advise the following actions be taken:
- Review your current threat landscape using our actionable intelligence based on geography, industry segment, and exposed infrastructure that threat actors are targeting. Such intelligence is a proven counter measure for phishing attempts, as favored by Sandworm and other prolific actors.
- Examine your external attack surface to identify and prioritize any internet-exposed applications, APIs or services, and take necessary steps to secure those with high criticality. This is particularly prevalent in the case of WatchGuard users (and users of other public-facing applications) whose network-facing devices may have already been infected.
- Evaluate your organization’s access posture by reviewing user password hygiene. Identify weak, compromised, or duplicate passwords and stolen credentials to prevent the use of valid account credentials being used as an access point by criminals looking to execute an attack against your organization.
Outpost24 is here to provide your organization with industry-leading solutions that garner actionable insights that protect your business against the rising tide of cyber threats that may impact your business operations today or in the future.