New data-wiping ++malware++ has been spotted infecting hundreds of computers in Ukraine as Russia invades the country.
IT security companies began noticing the malware on Wednesday, Feb. 23 ahead of the Thursday morning Russian invasion. The malware, dubbed HermeticWiper, is designed to both erase Windows devices and corrupt the system, preventing the OS from loading.
In an email, security firm ESET said it’s seen hundreds of machines affected in several organizations across Ukraine thus far, but there are likely more sites. “It is assumed the data was destroyed; the malware appears to be very effective,” ESET said.
Symantec, on the other hand, ++said++ the malware has been targeting “organizations in the financial, defense, aviation, and IT services sectors.”
HermeticWiper corrupts a Windows PC’s ++master boot record++, which tells the computer how to load the OS, ++according++ to IT security firm SentinelOne. It does this by leveraging legitimate drivers from EaseUS Partition Master, a free program, to corrupt a computer’s hard drives. The malware itself is also signed with a digital certificate from an obscure company in Cyprus called “Hermetica Digital Ltd,” which SentinelOne suspects may be a shell company or a defunct firm.
“Initial indications suggest that the attacks may have been in preparation for some time,” Symantec added, citing early evidence showing the hacker behind the malware had broken into the Ukrainian organizations’ IT networks months before.
In one case, the hackers infiltrated a Ukrainian organization’s network on Dec. 23 by exploiting Microsoft Exchange Server to steal a login credential. Symantec has also spotted the hackers deploying ++ransomware++ at the same time as HermeticWiper, probably as a decoy to distract the Ukrainian organizations from noticing the data-wiping attack.
“With an invasion now underway, there remains a high likelihood of further cyber attacks against Ukraine and other countries in the region,” Symantec added.
It’s not the first time destructive malware has hit Ukrainian computers in recent weeks. Last month, Microsoft ++warned++ it had spotted another piece of malware hitting Ukrainian organizations, capable of also corrupting a PC’s master boot record.