Threat actors have deployed destructive disk-wiping malware against organizations in Ukraine in order to destroy and make computer systems unusable.
In a new Cybersecurity and Infrastructure Security Agency (CISA) alert, the agency warned of threat actors using destructive malware such as WhisperGate and HermeticWiper to target entities in Ukraine and make those devices inoperable.
On January 15, 2022, Microsoft issued a warning of destructive MBR wiper malware WhisperGate targeting Ukranian organizations.
According to Microsoft, the malware executes after powering down the victim’s devices, which then overwrites the Master Boot Record (MBR) with a ransomware note. However, the note is a ploy given it is designed to make devices inoperable without a way to recover and obtain a ransom.
Earlier this year, Microsoft spotted dozens of affected systems spanning multiple government, non-profit, and information technology organizations in the Ukraine.
In addition, CISA added new updates regarding the HermeticWiper threat as discovered by SentinelLabs:
“On February 23, 2022, cybersecurity researchers disclosed that malware known as HermeticWiper was being used against organizations in Ukraine. According to SentinelLabs, the malware targets Windows devices, manipulating the master boot record and resulting in subsequent boot failure,” CISA warned.
Moreover, Broadcom’s Symantec Threat Hunter Team released a report ‘Disk-wiping Attacks Precede Russian Invasion‘ with new updates on the related malware threats.
Symantec also added newer updates on February 25, 2022, on how a known Microsoft SQL Server vulnerability (CVE-2021-1636) was exploited in at least one attack.
In addition to targets in Ukraine, Symantec discovered evidence of wiper attacks against systems in Lithuania.
Readers can check out the full CISA alert to to get more information on the technical details and recommended mitigations.