Russia Deploys Indiscriminate Cyber Weapons Against Internet
Updated: Mar 28
Of the fallout from the Russian invasion of Ukraine, probably the most pressing to the wider cyber world is the fact that this is the very first real-world usage of actual hybrid warfare, including full tilt cyberwarfare actions.
Russian state-sponsored cyber-attacks are known to be on the whole indiscriminate and wide-reaching. An example of this is the NotPetya or GoldenEye ransomware worm released against Ukraine back in 2017, which spread via supply chain channels to many organisations outside Ukraine including the UK NHS. Notably, NotPetya was designed to look like ransomware, whilst having no functional way of retrieving any data. For example, no key was ever sent to a central ransom server, and the bitcoin wallet used in the ransom notes was not unique to each attack… meaning that no transaction could be attributed to any victim, and no decryption could be afforded anyway.
Well, it looks like the Russians are at it again, and recent reports indicate their malware of mass destruction looks to be even less disguised and even more overtly aggressive. As of the 23rd of February, a few hours prior to the initiation of the invasion, a new ransomware triad appeared on many Ukrainian servers. Dubbed HermeticWiper, HermeticWizard, and HermeticRansom, the Hermetic family appears to be a toolkit allowing for both surgical elimination of servers and services, and also widespread indiscriminate destruction of computer systems.
HermeticWiper is the main course of the three, a piece of malware that harks back to the early days of malware in the mid to late nineties… namely in that it does not bother encrypting anything, it just wipes the hard drive, making it impossible to boot or recover the operating system and then forcibly crashing the host. This activity is hidden by HermeticRansom, a fake ransomware program that creates all the artefacts of a ransomware attack, including a frontend that has instructions for paying the ransom… only for the computer system to then be destroyed.
HermeticWiper and HermeticRansom are deployed by attackers using on-keyboard attacks… usually with stolen passwords or weak credentials that have been cracked. It’s also noteworthy that they are primarily deployed (at the moment) against Ukrainian organisations. However, it’s HermeticWizard that makes this all the more interesting. HermeticWizard works a lot like NotPetya, in that it scrapes legitimate credentials and attempts to use them to migrate from one computer to another, spreading to any machine it can get access to. When it gets there, it scrapes more credentials, seeks out other victims, and deploys the other members of the Hermetic family.
This presents a problem, as any poorly secured supply chain can become a passageway through which HermeticWizard can travel between companies. This means that the same kind of widespread damage that NotPetya caused could feasibly happen at any time. This is tempered by the fact that, as far as anyone has seen thus far, HermeticWizard does not have any zero-day migration systems like NotPetya did… but that doesn’t mean it won’t.
To make this problem worse, in recent days another Wiper class malware has appeared, also in Ukrainian systems, called IssacWiper. IssacWiper is far less sophisticated than the Hermetic family, in that it doesn’t pretend and doesn’t have advanced migration and lateral movement systems… but it does point out that Russia has an arsenal of cyberweapons they are all too happy to use, to the detriment of the entire internet.
We can’t and don’t know if more sophisticated and dangerous malware exists in the Russian cyberweapon arsenal. We don’t know if or when those weapons will be used, and we also don’t know who they will be used against. It’s very possible that Russia will retaliate over the internet against a West that has shut down the Russian economy, after all, it’s just computers, not real warfare, and not something that is easily attributable to any one nation. All organisations should be seeking to strengthen all of their security controls now, addressing all aspects of visibility, policy, and human training. We may not be the target, but with the indiscriminate nature that tends to be a feature of Russian cyber weapons, we may not need to be for it to greatly affect us.