New data-wiping malware has been spotted infecting hundreds of computers in Ukraine as Russia invades the country.
IT security companies began noticing the malware on Wednesday, Feb. 23 ahead of the Thursday morning Russian invasion. The malware, dubbed HermiticWiper, is designed to both erase Windows devices and corrupt the system, preventing the OS from loading.
In an email, security firm ESET said it's seen hundreds of machines affected in several organizations across Ukraine thus far, but there are likely more sites. "It is assumed the data was destroyed; the malware appears to be very effective," ESET said.
Symantec, on the other hand, said the malware has been targeting "organizations in the financial, defense, aviation, and IT services sectors."
HermiticWiper corrupts a Windows PC’s master boot record, which tells the computer how to load the OS, according to IT security firm SentinelOne. It does this by leveraging legitimate drivers from EaseUS Partition Master, a free program, to corrupt a computer's hard drives. The malware itself is also signed with a digital certificate from an obscure company in Cyprus called “Hermetica Digital Ltd,” which SentinelOne suspects may be a shell company or a defunct firm.
"Initial indications suggest that the attacks may have been in preparation for some time,” Symantec added, citing early evidence showing the hacker behind the malware had broken into the Ukrainian organizations' IT networks months before.
In one case, the hackers infiltrated a Ukrainian organization’s network on Dec. 23 by exploiting Microsoft Exchange Server to steal a login credential. Symantec has also spotted the hackers deploying ransomware at the same time as HermeticWiper, probably as a decoy to
Read more on pcmag.com