As Russia began its initial offensive into Ukraine, another kind of attack unfolded inside Ukrainian networks. A destructive wave of wiper malware attacks began corrupting files in hundreds of computer systems, rendering the systems themselves unusable.
Unlike ransomware and other types of malware that are designed to provide the threat actor financial gain, wiper malware, as the name implies, is built to simply ‘wipe’ or destroy the victim’s data. In this particular attack, the wiper not only corrupted files, it also destroyed the hard drive’s master boot record (MBR), which is what really caused the infected systems to fail.
The precision and coordination of this attack indicates that the malware in question was present, with a extremely good lateral network distribution for some time before this attack.
Execution is the last stage
The execution stage of a malware attack is the absolute last stage of the attack and is preceded by multiple stages which allow the malware to gain a strong foothold in the network in order to maximize the effect. In order to gain the best foothold it can, it needs to remain undetected for as long as possible. The longer it remains undetected, the stronger the foothold it can gain, increasing the amount of devastation it can cause.
This is done by implementing numerous evasion techniques to avoid detection by the victims’ security systems.
Once the malware has achieved its desired foothold, as in this case, it sits dormant and waits for a command from the C&C to trigger the attack. In this case, the Russian attackers gained strong footholds in numerous Ukrainian networks and were just waiting for the attack signal from the C&C.
The wiper malware infections were tracked by ESET and Broadcom’s Symantec, with the first wiper discovered by ESET at around 14h52 UTC or roughly 5 p.m. Ukraine local time. ESET dubbed the wiper KillDisk.NCV. Meanwhile, Symantec’s Threat Intelligence Twitter account shared the new malware’s hash, 1bc44eef75779e3ca1eefb8ff5a64807dbc942b1e4a2672d77b9f6928d292591, in a tweet.
Malware hashes are used to uniquely identify a specific malware. Unfortunately, there are tools that allow malware authors to “recompile” their code so that the malware retains its original functionality but changes its binary, and consequently, its hash. This makes it difficult for signature-based security tools to detect them as malware.
The target of the attacks were mostly Ukrainian financial institutions and government contractors. However, similar infections were also discovered in Latvia and Lithuania, raising fears of potential spillovers reminiscent of the 2017 NotPetya malware attack. NotPetya was believed to be also originally targeted at Ukrainian establishments, but eventually spilled over to neighboring countries and then later on spread overseas, causing damages that totaled $10 billion.
ESET’s technical analysis on KillDisk.NCV showed that the malware takes advantage of EaseUS Partition Master—a legitimate disk partitioning tool, to corrupt files and then forces the compromised system to reboot. However, since the wiper also destroys the MBR, the device never succeeds in booting into the OS, thereby rendering the device unusable. The wiper attack was preceded by a DDoS attack, presumably to serve as a distraction.
Similar to Whispergate
These characteristics are similar to the WhisperGate wiper malware that also infected Ukrainian systems earlier this year. Like KillDisk.NCV, WhisperGate also destroyed the MBR and was accompanied by a ransomware attack.
Although these cyber attacks have not been attributed to Russia, national governments must accept the fact that cyber warfare will eventually be (if it’s not already) part of every geopolitical conflict. Governments must shore up cyber defenses if they don’t want mission-critical IT systems crippled and valuable data wiped into oblivion.
But the national government can’t do it alone.
In the US, the Cybersecurity and Infrastructure Security Agency (CISA) recognizes state-sponsored cyber attacks, particularly of Russian origin, as a serious threat to critical infrastructure and is encouraging all organizations to adopt a heightened cybersecurity posture by following what it calls Shields Up Guidance in an attempt to help organizations better prepare.
When a geopolitical adversary starts to employ cyber warfare, it will be looking for vulnerabilities to exploit and organizations with weak cyber defenses will be prime targets. Thus, organizations must play their role in building a strong security posture and avoid becoming the weakest link that these adversaries can take advantage of.
How Minerva help protect against these types of attacks
As mentioned earlier in this article, in order for these attacks to be effective, they need to gain a strong foothold in the organization’s network and remain undetected for as long as possible. This means they need to employ a variety of evasion techniques in order to bypass security solutions. With Minerva, the more evasion techniques the malware uses, the easier it is for us to shut them down and prevent the attack before it even starts. This makes Minerva’s ransomware protection very effective against these types of attacks in particular.