ESET discovers wiper malware used against hundreds of Ukrainian PCs

Security firm ESET says it has discovered malware that deletes data from Ukrainian computers. Systems would have been infected by the wiper malware weeks ago, but it would only strike now.

ESET say that it first detected the attacks on Wednesday. It would be “several hundred cases” where the wiper malware strikes. Besides ESET also says Symantec that it sees attacks with similar malware, although it is not known whether these are the same attacks. The companies both have many customers in Ukraine. Much is still unknown about the attacks; for example, its exact scope and how the malware works are not yet clear.

ESET calls the malware HermeticWiper. This seems to be a different attack than the one at the end of January. Then Ukrainian systems were also affected by malware that made files unusable. Security researchers called the attack WhisperGate. HermeticWiper misuses drivers of software EaseUS Partition Master, says ESET. The malware makes files on the PC useless and then reboots the system. According to another researcher the malware renders the Master Boot Record useless, preventing the entire computer from booting.

ESET says timestamps would show that at least in some cases the malware had been on the system for at least two months before it hit. The company says it has seen at least one case in which the virus has penetrated through a domain policy from an infected Active Directory server.

The researchers do not attribute the malware to a specific attacker, but it is likely that it was executed by Russia. That country invaded Ukraine on Thursday morning. Russia has also been attacking Ukraine for years with cyber attacks; in 2015, the country’s electrical grid was shut down and later, the NotPetya ransomware. Last week, Ukraine was also attacked by DDOs attacks. According to experts, this disruption is part of the Russian plan for an invasion.