Alert - Disruptive activity against Ukrainian organizations - update 1

Number: AL22-002
Date: 24 February 2022
Updated: 25 February 2022

Audience

This Alert is intended for IT professionals and managers of notified organizations.

Purpose

An Alert is used to raise awareness of a recently identified cyber threat that may impact cyber information assets, and to provide additional detection and mitigation advice to recipients. The Canadian Centre for Cyber Security ("Cyber Centre") is also available to provide additional assistance regarding the content of this Alert to recipients as requested.

Overview

On 23 February 2022 the Canadian Centre for Cyber Security (Cyber Centre) became aware of a new disruptive malware, named HermeticWiper, targeting Ukrainian organizations Footnote 1.

This Alert is being released to raise awareness and share open-source indicators associated with this activity.

Details

On 23 February 2022 the Canadian Centre for Cyber Security (Cyber Centre) became aware of a new disruptive malware, named HermeticWiper, targeting Ukrainian organizations Footnote 1.

HermeticWiper abuses a benign driver to corrupt the Master Boot Record (MBR) of every physical drive and each drive partition to make the victim system inoperable after machine shutdown. HermeticWiper also modifies several registry keys to disable system crash dumps.

The malware has additional functionalities that are being investigated.

The referenced SentinelLabs blog post Footnote 1 provides indicators of compromise for system owners and operators responsible for defending their systems and networks from cyber threats. The Cyber Centre has not verified the technical details described in this disclosure and is providing this information as is for situational awareness and potential action. It is important to verify business services and network environments before implementing any blocks based on these indicators. The Cyber Centre does not accept liability for negative consequences resulting from the use of the information provided herein.

The Cyber Centre has currently received no indication of activity in Canada but is amplifying this information out of an abundance of caution. If the Cyber Centre acquires any additional information on this topic, it will be provided through an update or additional publication.

Should activity matching the content of this Alert be discovered, recipients are encouraged to report via the My Cyber Portal, contact the Cyber Centre by email (contact@cyber.gc.ca), or by telephone (1-833-CYBER-88 or 1-833-292-3788).

Update 1

In addition to SentinelLabs Footnote 1, several security vendors have published articles detailing the HermeticWiper malware, named according to the digital certificate, and its associated indicators of compromise.

ESET published a summary of the activity surrounding the disruption and provided hashes for both Symantec and SentinelLabs reports Footnote 2.

Zscalar published an in-depth article that provides a technical analysis of actor infrastructure, HermeticWiper, and other related malware Footnote 3. Zscalar also provides details, including indicators of compromise, regarding targeted campaigns against commercial and public entities in Ukraine.

Symantec published an article that provides several additional indicators of compromise and economic sectors targeted by the malware Footnote 4. Symantec has identified evidence of related malicious activity beginning as early as November 2021. Ransomware may also have been deployed against victims at the same time as HermeticWiper.

Date modified: