Share this page!

Eric Geller Profile picture
Twitter logo
Feb 23 23 tweets 8 min read
Notable point from ESET's thread about new data-wiping malware that it discovered on hundreds of computers in Ukraine today.
Symantec seeing it too
Symantec's Eric Chien tells me: "We are seeing the wiper across multiple organizations in different sectors in the Ukraine including finance and government organizations. The wiper uses a legitimate driver to gain low level hard disk access to wipe data."
"We haven't yet documented the full attack chain," Chien says, "but it is clear in some organizations they had credentialed access already."

Aligns with what ESET tweeted about Active Directory access.
Chien says Symantec is also seeing the wiper in Lithuania, "but at this time it isn't clear if these are distinct organizations."

These could be infections of Ukrainian companies with international offices.

Symantec hasn't seen attacks on companies based outside of Ukraine.
Jean-Ian Boutin, head of ESET's threat research team, says the wiper targeted "large organizations."

"The malware based on its time stamp was created two months ago, however it was deployed only today and we have seen it only in Ukraine."
ESET has seen "several organizations targeted" but isn't ready to provide numerical estimates, a spokesperson says. They've seen more than the two organizations cited by Symantec.
Symantec's Chien says the government organizations they're seeing targeted by the wiper are contractors involved in "supporting the military sector."

Number of targets likely to change rapidly as analysts review data. Symantec has seen 3 as of now, but don't read much into that.
#HermeticWiper
As of now, Symantec has seen the wiper Ukraine, Latvia, and Lithuania, per a statement a few minutes ago from their PR team.

They reiterate that so far they've seen attacks on financial companies and government contractors. (Chien told me they're military contractors.)
Ukraine #HermeticWiper malware is "incredibly thorough," @juanandres_gs told me tonight. "It's got at least five or six different ways that it's trashing different aspects of the operating system."

"It makes WhisperGate look like it was written by script kiddies," he said.
#HermeticWiper will look for as many as 100 physical drives to erase, trash the Master Boot Record, trash user folders, trash the Windows Registry, and then target the filesystem "and actually try to wipe things by sector," Guerrero-Saade said.
The wiper exploits a Microsoft feature that configures settings across multiple computers on a network, so it's designed for networks where the attacker has that kind of broad access.

It's "fire-and-forget," Guerrero-Saade said, compared to WhisperGate, which needed more input.
Guerrero-Saade likened #HermeticWiper to Shamoon (Saudi Aramco hack) and Destover (Sony hack) in that it deploys and abuses a driver for a legitimate program (in this case, EaseUS Partition Manager) to bypass the normal obstacles to deep hard-drive control that malware faces.
#HermeticWiper also doesn't appear to work on Windows 10, Guerrero-Saade told me, which is fine for Ukraine, where most computers run older versions of Windows — in many cases, pirated versions.
Partition Master, not Partition Manager, sorry.
#HermeticWiper accepts command-line arguments, suggesting that the hackers could have deployed it via a script, according to CrowdStrike's @Adam_Cyber.

The two commands tell the malware:

(1) how long to stay asleep on a target before activating
(2) when to shut the PC down
Meyers called #HermeticWiper "pretty nasty" and noted that it disables a Windows security feature called Volume Shadow Copy, which creates backups of files. A lot of ransomware does this.

"It takes some care to make sure that it's going to make a big mess for the target."
New Symantec report on Ukraine #HermeticWiper malware:

"Sectors targeted included organizations in the financial, defense, aviation, and IT services sectors."

Ransomware deployed ("likely" as a decoy) in some cases.

symantec-enterprise-blogs.security.com/blogs/threat-i…
In case you're wondering where the malware's name comes from: Symantec says it's delivered "in the form of an executable file, which is signed by a certificate issued to Hermetica Digital Ltd. "
Initial #HermeticWiper analysis reports from:

ESET welivesecurity.com/2022/02/24/her…

SentinelOne sentinelone.com/labs/hermetic-…
Reuters interviewed the man whose small business's name was found in the code of the #HermeticWiper malware menacing Ukraine.

He says he has nothing to do with it.

reuters.com/world/europe/c…
Juan Andrés is continuing to dig into the #HermeticWiper malware found in Ukraine

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with Eric Geller

Eric Geller Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @ericgeller

Eric Geller Profile picture
Feb 24
Options mentioned here: Disrupting Russian internet access, sabotaging the Russian power grid, and hacking railroad switches to impede supply lines.

"'You could do everything from slow the trains down to have them fall off the tracks,' one person briefed on the matter said."
Needless to say, this is an incredibly precarious moment and the U.S. will need to be very careful about calibrating any cyberattacks to avoid catastrophic reprisals. Putin has given apocalyptic warnings about what he'll do if the West tries to stop him.
.@emilyhorne46 slaps down NBC's story about Biden being presented with aggressive cyber retaliation options.

"This report is wildly off base and does not reflect what is actually being discussed in any shape or form." (via @magmill95)
Read 5 tweets
Eric Geller Profile picture
Feb 24
It's really happening. My god.
Thinking of everyone in Ukraine right now. There is little worse than feeling powerless while watching innocent people suffer.
Cannot begin to imagine what must be going through that official's mind. Hope they and their colleagues can get to safety.
Read 99 tweets
Eric Geller Profile picture
Feb 23
🚨 The websites of Ukraine's parliament, foreign ministry, and executive cabinet are down, possibly due to a new distributed denial-of-service attack.

rada.gov.ua
mfa.gov.ua
kmu.gov.ua
Cabinet of Ministers website appears to be back up. Rada and MFA sites still down.
Looks like Privatbank's website is having issues too. privatbank.ua
Read 8 tweets
Eric Geller Profile picture
Feb 22
After Russia invaded in 2014, Ukraine began centralizing govt data in Kyiv, severing links w/ IT systems in occupied territories.

Now it's preparing to evacuate that data if Moscow targets Kyiv.

I talked to @dsszzi's @VZhora about protecting this data: politico.com/news/2022/02/2…
Centralizing data in Kyiv robbed Russia of easy access to files and services previously accessible from now-occupied computers in Crimea, Luhansk, and Donetsk. It also prevented those now-untrustworthy computers from becoming backdoors into Ukrainian networks.
Ukraine's locally distributed computer system was the product of historically slow internet speeds that prevented large, frequent data transfers. But the country's modernization meant it could move everything to web platforms based in Kyiv (with multiple backup sites).
Read 11 tweets
Eric Geller Profile picture
Feb 18
White House briefing starting now. Anne Neuberger, deputy national security adviser for cyber, is one of the speakers.
Neuberger: “While there are currently no specific or credible cyber threats to the homeland, the U.S. government has been preparing for potential geopolitical contingencies since before Thanksgiving.”
Essentially confirming recent WaPo story, Neuberger says USG "believes that Russian cyber actors likely have targeted the Ukrainian government, including military and critical infrastructure networks, to collect intelligence & preposition to conduct disruptive cyber activities."
Read 13 tweets
Eric Geller Profile picture
Feb 17
During panel at Munich Cybersecurity Conference, FBI Cyber Division's Tonya Ugoretz says "international standardization" of AML rules for cryptocurrency "would greatly help" stop ransomware. Many countries don't have consistent rules, so even well-meaning exchanges can't help.
Ugoretz: "Sometimes foreign exchanges want to be cooperative...but because they don't have that existing framework that provides consistency in the types of information that they're collecting about their customers, they may not even have the information on hand to provide..."
On ransomware, DHS Under Secretary for Policy Rob Silvers says “we are taking this problem on from all angles, and it's among our very highest cybersecurity priorities.” He notes stopransomware.gov, various alerts and guidance docs, and partnerships with other agencies.
Read 7 tweets

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Don't want to be a Premium member but still want to support us?

Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal

Or Donate anonymously using crypto!

Ethereum

0xfe58350B80634f60Fa6Dc149a72b4DFbc17D341E copy

Bitcoin

3ATGMxNzCUFzxpMCHL5sWSt4DVtS8UqXpi copy

Thank you for your support!

Follow Us on Twitter!

Like this author's thread?

Get emails when @ericgeller has new unrolls!

Check out other threads from @ericgeller!

Read all threads by @ericgeller

:(