Digital Sleuths Track Clues in Hacks on Ukrainian Government, Banks

(Bloomberg) -- As missiles landed in Ukraine on Thursday morning, the country’s cybersecurity defenders were already hard at work. Prior to the Russian military invasion, hackers had launched a series of attacks aimed at disrupting Ukrainian government websites as well as banking, defense, and aviation services.

Most Read from Bloomberg

• Teen Who Tracked Elon Musk’s Jet Is Now Chasing Russian Tycoons

• China Spy Think Tank Advising Xi Predicts Russia Sanctions Will Backfire

• Microsoft Says Son of CEO Satya Nadella Has Died at 26

• Russia Steps Up Aerial Campaign Against Cities: Ukraine Update

• Belarus Preparing to Send Soldiers, Report Says: Ukraine Update

Ukraine’s State Service of Special Communication and Information Protection said it had observed on Wednesday phishing attacks on public authorities and critical infrastructure, as well as attempts to penetrate private sector networks. It said it had “unambiguously” identified Russian special services as being behind some of the efforts.

Specialists working for Ukraine’s government worked overnight to assist some of the affected companies and government departments, according to two people involved in the work.

Researchers at the cybersecurity firm ESET LLC said they identified more than three Ukrainian organizations that were targeted on Wednesday with a destructive malware, named “HermeticWiper,” designed to corrupt computers and render them inoperable. The malware had infected a few hundred computers at those organizations, according to Jean-Ian Boutin, ESET’s head of threat research.

“This was not a widespread attack. They pinpointed specific organizations and then went in and deployed the malware,” said Boutin, who declined to name the specific organizations affected. “The fact that this happened a few hours before the full-scale invasion, it leads us to believe these organizations were targeted for a reason.”

EXPLAINER: Cyberwar, How Nations Attack Without Bullets or Bombs

The hacking tool is also capable of wiping data from affected devices, a similar capability to hacking tools that Microsoft Corp. detected in malware used against Ukrainian agencies in January.

Researchers at Symantec, a division of Broadcom Software, said that they had identified HermeticWiper malware on Wednesday targeting organizations in the financial, defense, aviation, and IT services sectors. In some cases, they said, hackers had simultaneously deployed ransomware on computers to trick victims into believing they were being extorted by criminals, when in fact the only goal was to sabotage computers.

Vikram Thakur, technical director at Symantec, said the company had identified three organizations that were hacked. One organization in Ukraine had about 50 computers infected with the destructive malware, he said. Two companies in Latvia and Lithuania – each with strong links to Ukraine and its government – had dozens of their computers breached.

There were signs the attacks had been planned several months ago, Thakur said.

Evidence suggested the Lithuanian organization had been hacked in November 2021, he said, meaning the hackers may have been waiting patiently inside its systems to activate their malware in a coordinated attack.

“The service that these organizations provide is of high value to the Ukrainian government,” Thakur said. “Targeting them is probably intended to cause longer-term disruption.”

The malware’s code was digitally signed with a certificate issued last year to a company named Hermetica Digital Ltd., according to several cybersecurity companies including ESET and Symantec. The firm shares a registered office in Nicosia, Cyprus with an art and cakes business, according to company records. Hermetica Digital couldn’t be reached for comment.

Thakur said he believed the company’s code signing certificate may have been leaked or stolen as it had previously been used to sign other files, almost all of which were unrelated to the hacking campaign in Ukraine. Researchers at cybersecurity firm SentinelOne Inc. wrote in a blog post that it was possible that the attackers had “used a shell company or appropriated a defunct company to issue this digital certificate.”

Some cybersecurity experts said the malware was basic and unsophisticated, which they warned could be a sign that worse is yet to come.

“As a nation-state sponsored group you don’t always want to use your heaviest machinery at first,” said Amit Serper, director of security research at Akamai Technologies Inc. “If all you want to do is corrupt some drives and make computers not work, there is no need to use the best weapons in your arsenal. Something quick and dirty that gets the job done will have the same effect.”

“It is quite an ominous sign,” said Serper. “But they are already bombarding buildings with rockets. So some malware that corrupts computers is maybe not the most ominous thing that is going on here.”

The Russian government has consistently denied involvement in malicious cyber activity.

Most Read from Bloomberg Businessweek

• Tech Giants Stage Their First All-Out Brawl in the Metaverse

• The Metaverse Finally Has a Killer App: Poker

• Wall Street’s Risky ‘Razor Blade’ Trade Is Making a Comeback

• How Google-Style Perks Help Japan’s Carmakers Attract Engineers

• A Pandemic Baby Bump Shines a Spotlight on the Nordic Welfare Model

©2022 Bloomberg L.P.