Recent cybersecurity developments have revealed a significant escalation in cyberattacks aimed at Ukraine, coinciding with the country’s ongoing military conflict. Cybersecurity experts from ESET and Broadcom’s Symantec have reported the emergence of a new wiper malware, identified as HermeticWiper (also known as KillDisk.NCV), which has been actively deployed against numerous systems across the country. This follows a formal escalation of military actions initiated by Russian forces.
Evidence suggests that the malware has been in the making since late December 2021, signifying that preparatory efforts by the attackers were likely underway for almost two months prior to the actual deployment. The wiper’s designation by ESET highlights its method of destruction, employing a legitimate driver from EaseUS Partition Master software to corrupt critical data sectors, including the Master Boot Record (MBR) of physical drives, effectively incapacitating infected machines.
In a series of communications, ESET detailed that the malware is digitally signed using a certificate associated with Hermetica Digital Ltd. This showcases the potential use of trusted software mechanisms to deliver malicious payloads, which is a noted tactic within the MITRE ATT&CK framework. Specifically, this incident may imply techniques such as initial access via signed software, as well as data destruction strategies under the tactics of “Impact.”
The operational scale of these malware attacks reflects a broader pattern of sabotage activities following a persistent wave of DDoS attacks targeting essential Ukrainian governmental and financial institutions. Reports indicate that on February 15, such attacks disrupted access to crucial services, including the Ministry of Foreign Affairs and the country’s parliament. The culmination of these attacks suggests a structured effort to destabilize Ukraine’s digital infrastructure amid a chaotic geopolitical landscape.
Juan Andres Guerrero-Saade, a principal threat researcher at SentinelOne, characterized this increase in wiper malware as an alarming trend and an unfortunate escalation of cyber hostilities that has been observed in parallel with ongoing physical conflicts. The researchers noted that at least one instance of HermeticWiper deployment was executed from within a Windows domain controller, indicating a sophisticated level of access gained by the adversaries.
The identity of the cyber adversaries remains undetermined, yet this incident marks the second time in 2022 that destructive malware has been unleashed against Ukrainian systems, following the earlier WhisperGate attacks. It poses serious implications for data integrity and availability, not only for the immediate targets but also for the broader regional stability.
Moreover, these disruptive events are part of an extensive cyber campaign against Ukraine that has seen over a hundred cyberattacks on state institutions in just January alone. Investigations have traced various DDoS attacks back to sophisticated bot networks leveraging compromised Internet-of-Things devices, illustrating the diverse tactics employed by adversaries, as outlined in the MITRE framework’s Persistence and Credential Access categories.
In the wake of these assaults, Ukrainian law enforcement has highlighted efforts by cybercriminals to exploit the heightened tensions through the sale of sensitive information on dark web platforms. This troubling trend indicates an intention to profit from the chaos, further complicating the cybersecurity landscape in which both state and private entities must now navigate.
As outlined by the Ukrainian Security Service (SSU), the ongoing cyber operations appear strategically designed to instill panic, distort public perception of the security situation, and undermine trust in government capabilities. The SSU’s recent statements emphasize the coalescing impact of these malicious actions as a form of hybrid warfare, contributing to both informational and operational destabilization.
