Attackers had impersonated a Cypriot firm to get DigiCert to issue them the keys to the Ukraine cyber kingdom beforehand.
The first cyberattack started a few hours prior to the invasion after distributed denial-of-service attacks against major Ukrainian websites earlier that day.
Malware attacks against Ukraine had been planned long before the Russian evasion, according to forensic evidence.
As the Russian invasion started, a second destructive attack against a Ukrainian governmental network was started, using a wiper malware.
The chain of events went as such, according to ESET researchers:
- On 23 February, a destructive campaign using HermeticWiper, HermeticWizard and HermeticRansom targeted multiple Ukrainian organizations. This cyberattack preceded the start of the Russian invasion of Ukraine by a few hours.
- The naming prefix ‘Hermetic’ is derived from that of a Cypriot company to which the code-signing certificate was issued. According to a report by Reuters, it seems that this certificate was not stolen from the firm Hermetica Digital. Instead, it is likely that the attackers impersonated the Cypriot company in order to get this certificate from DigiCert. ESET Research has requested the issuing company DigiCert to revoke the certificate immediately.
- In the case of HermeticWiper, artifacts of lateral movement inside the targeted organizations indicate that attackers likely took control of an Active Directory server. A custom worm (later dubbed HermeticWizard) had been used to spread the wiper across the compromised networks.
- HermeticWiper wipes itself from disk by overwriting its own file with random bytes. This anti-forensic measure is likely intended to prevent the analysis of the wiper in post-incident analyses. HermeticWiper is propagated inside compromised local networks by a custom worm dubbed HermeticWizard.
- The decoy ransomware HermeticRansom was deployed at the same time as HermeticWiper, potentially in order to hide the wiper’s actions.
- On 23 February, a second destructive attack against a Ukrainian governmental network started, via a wiper dubbed IsaacWiper. ESET is currently assessing its links, if any, with HermeticWiper. IsaacWiper was detected in a Ukrainian governmental organization that was not affected by HermeticWiper. IsaacWiper appeared in ESET telemetry on 24 February. The oldest PE compilation timestamp found was 19 October 2021, meaning that if its PE compilation timestamp was not tampered with, IsaacWiper may have been used in previous operations months earlier.
- On 25 February, attackers dropped a new version of IsaacWiper with debug logs, which may indicate that the attackers were unable to wipe some of the targeted machines and had added log messages to understand what was happening. For movement inside the network IsaacWiper used RemCom (a remote access tool) and possibly Impacket.
The firm’s Head of Threat Research, Jean-Ian Boutin, noted with high confidence that the affected organizations were compromised well in advance of the wiper’s deployment. “This is based on several facts: the HermeticWiper PE compilation timestamps, the oldest being December 28, 2021; the code-signing certificate issue date of April 13, 2021; and the deployment of HermeticWiper through the default domain policy in at least one instance, suggesting the attackers had prior access to one of that victim’s Active Directory servers.”
No known threat actor could be attributed to these attacks due to the lack of any significant code similarity with other samples in the firm’s malware database.