Microsoft: Data wiper cyberattacks continuing in Ukraine

Microsoft: Data wiper cyberattacks continuing in Ukraine

Join today's leading executives online at the Data Summit on March 9th. Register here.



Microsoft warned that the group behind the “HermeticWiper” cyberattacks — a series of data-wiping malware attacks that struck numerous Ukrainian organizations on February 23 — remains an ongoing threat.

The warning came as part of an update published today by Microsoft on cyberattack activity that the company has been tracking in Ukraine.

The update largely compiles and clarifies details on a series of previously reported wiper attacks that have struck Ukrainian government and civilian organizations over the past week. But the update also implies that additional wiper attacks have been observed that are not being disclosed for now.

In particular, Microsoft indicates that as of right now, “there continues to be a risk” from the threat actor behind the HermeticWiper attacks.

The string of wiper cyberattacks have coincided with Russia’s unprovoked troop build-up, invasion and deadly assault on its neighbor Ukraine. Russia is not mentioned in the Microsoft Security Response Center (MSRC) blog update today.

The MSRC update also follows a blog post from Microsoft president Brad Smith on Monday, in which he stated that some recent cyberattacks against civilian targets in Ukraine “raise serious concerns under the Geneva Convention.”

HermeticWiper

For starters, the MSRC blog update clarifies a point of confusion: The wiper malware that has been dubbed HermeticWiper by other researchers is, in fact, the same malware as the wiper that Smith referred to as “FoxBlade” in his Monday blog post.

The initial HermeticWiper/FoxBlade attacks struck organizations “predominately located in or with a nexus to Ukraine” on February 23, Microsoft said in the blog. Other researchers have noted that the HermeticWiper struck Ukrainian organizations several hours before Russia’s invasion of Ukraine.

The HermeticWiper attacks affected “hundreds of systems spanning multiple government, information technology, financial sector and energy organizations,” Microsoft said.

Most concerning, however, is Microsoft’s apparent revelation that the HermeticWiper cyberattacks did not stop on February 23. While the company did not provide specifics, Microsoft appears to be describing an ongoing risk from the threat actor behind the HermeticWiper/FoxBlade attacks.

“Microsoft assesses that there continues to be a risk for destructive activity from this group, as we have observed follow-on intrusions since February 23 involving these malicious capabilities,” the company said in the blog post update.

VentureBeat has contacted Microsoft to ask if the company can specify on what dates it has observed the other attacks involving HermeticWiper/FoxBlade, and what the date was of the most recent attack involving that wiper malware.

Microsoft did not provide any attribution for the HermeticWiper/FoxBlade cyberattacks, saying that the company “has not linked [the wiper malware] to a previously known threat activity group.”

In the wake of the wiper attacks such as HermeticWiper, the FBI and the federal Cybersecurity and Infrastructure Security Agency (CISA) several days ago issued a warning about the possibility that wiper malware observed in Ukraine might end up impacting organizations outside the country.

“Further disruptive cyberattacks against organizations in Ukraine are likely to occur and may unintentionally spill over to organizations in other countries,” CISA and the FBI said in the advisory.

Other wipers

In the blog post update today, Microsoft said it’s also tracking two other strains of malware associated with this threat actor behind HermeticWiper. Those malware families were identified Tuesday by researchers at ESET — “HermeticWizard,” described by ESET as a worm used for spreading HermeticWiper, and “HermeticRansom,” a form of decoy ransomware. (Microsoft is referring to HermeticRansom by the name “SonicVote,” and is putting HermeticWizard underneath the FoxBlade umbrella in its naming scheme).

The MSRC blog update adds that Microsoft is aware of the wiper malware that has been named “IsaacWiper” by ESET researchers, and that was first disclosed by ESET on Tuesday. IsaacWiper — which Microsoft is referring to by the name “Lasainraw” — is a “limited destructive malware attack,” the blog update says.

In terms of IsaacWiper/Lasainraw, “Microsoft is continuing to investigate this incident and has not currently linked it to known threat activity,” the blog says.

As alluded to in the section on HermeticWiper, Microsoft characterizes the overall wiper activity in Ukraine as ongoing. The blog update notes that Microsoft “continues to observe destructive malware attacks impacting organizations in Ukraine.”

VentureBeat has reached out to Microsoft to ask if this means that the company has observed other recent wiper attacks in Ukraine, beyond the ones that are listed in the blog. VentureBeat has also asked if Microsoft can say when the last wiper attack occurred in Ukraine that it has observed.

All in all, with the wiper cyberattacks in Ukraine, “we assess the intended objective of these attacks is the disruption, degradation and destruction of targeted resources,” the updated Microsoft post says.

Targeted attacks

The mention of the attack being “targeted” at certain resources echoes what Smith said in his post on Monday, when he stated that “recent and ongoing cyberattacks [in Ukraine] have been precisely targeted. He noted that the use of “indiscriminate malware technology,” such as in the NotPetya attacks of 2017, has not been observed so far.

The MSRC blog update does not appear to mention several recent cyberattacks in Ukraine that Smith alluded to in his Monday post. Smith, for instance, mentioned recent cyberattacks in Ukraine against the “agriculture sector, emergency response services [and] humanitarian aid efforts.” The MSRC blog does not appear to provide details on those cyberattack incidents, since there’s no direct mention of any of those targets being affected by any of the attacks discussed in the post.

The post does note that the “WhisperGate” attack on January 13 — the first in this series of destructive malware attacks against Ukrainian organizations — did affect some non-profit organizations in Ukraine.

Microsoft does not specifically attribute any of the attacks in the blog update, saying only that “some of these threats are assessed to be more closely tied to nation-state interests, while others seem to be more opportunistically attempting to take advantage of events surrounding the conflict.”

“We have observed attacks reusing components of known malware that are frequently covered by existing detections, while others have used customized malware for which Microsoft has built new comprehensive protections,” the company said in the update.

Citing a well-known expert on cyberattacks, The Washington Post and VentureBeat reported Sunday that data-wiping malware had struck a Ukraine border control station in prior days. The wiper attack forced border agents to process refugees fleeing the country with pencil and paper, and contributed to long waits for crossing into Romania, according to the expert, HypaSec CEO Chris Kubecka.

The cyberattack on the Ukraine border control station was first reported by the Washington Post. The State Border Guard Service of Ukraine and the Security Service of Ukraine have not responded to email messages inquiring about the attack.

In his blog post Monday, in saying that some recent Ukraine cyberattacks “raise serious concerns under the Geneva Convention,” Smith referenced the international treaty that defines what are commonly referred to as “war crimes.” The Ukrainian government is a customer of Microsoft, and so are “many other organizations” in Ukraine, he noted in the blog.


VentureBeat's mission is to be a digital town square for technical decision-makers to gain knowledge about transformative enterprise technology and transact. Learn More