Microsoft: Data wiper cyberattacks continuing in Ukraine

Join online with today’s leading executives at the Data Summit on March 9th. Register here.


Microsoft warned that the group behind the “Hermetic Viper” cyber attack – a series of data-wiping malware attacks that attacked a number of Ukrainian institutions on February 23 – was a continuing threat.

The warning comes as part of an update released today by Microsoft on cyber attack activity that the company is tracking in Ukraine.

The update largely compiled and clarified details on a series of previously reported viper attacks that have attacked the Ukrainian government and civil society in the past week. But the update also indicates that additional Viper attacks have been observed that have not been made public for now.

In particular, Microsoft suggests that “the risk continues” from the dangerous actor behind the Hermetic Viper attack.

The series of Viper cyber attacks coincides with Russia’s non-provocative military build-up, aggression and deadly attacks on its neighbor Ukraine. Russia is not mentioned in today’s Microsoft Security Response Center (MSRC) blog update.

The MSRC update also follows a blog post by Microsoft President Brad Smith on Monday, in which he said that some recent cyber attacks against civilian targets in Ukraine “raise serious concerns under the Geneva Conventions.”

Hermetic Viper

For starters, the MSRC blog update clarifies the point of confusion: Viper malware, referred to as hermetic viper by other researchers, is, in fact, the same malware as Smith referred to as “Foxblade” in his Monday blog post.

Microsoft said in a blog post that the initial hermetic viper / Foxblade attacks on February 23 targeted organizations “primarily in Ukraine or its affiliates.” Other researchers have noted that hermetic vipers attacked Ukrainian institutions just hours before Russia’s invasion of Ukraine.

Microsoft said the hermetic viper attacks “have affected hundreds of systems across multiple governments, information technology, the financial sector and energy institutions.”

However, the most worrying thing is that Microsoft’s clear revelation is that the Hermetic Viper cyber attacks did not stop on February 23. While the company did not provide specifications, Microsoft appears to be describing the ongoing threat from the dangerous actor behind the Hermetic Viper / Foxblade attack.

“Microsoft assesses that there is a risk of destructive activity from this group, as we have observed follow-on intrusions involving these malicious capabilities since February 23,” the company said in a blog post update.

VentureBeat contacted Microsoft to ask if the company could specify if it had observed other attacks involving Hermetic Viper / Foxblade and what was the date of the most recent attack involving Viper malware.

Microsoft has not provided any attribution for the HermeticWiper / FoxBlade cyber attacks, saying the company did not “link” [the wiper malware] Formerly known threat activity group. “

HermeticWiper, the FBI and the Federal Cyber ​​Security and Infrastructure Security Agency (CISA) issued warnings about the possibility that Viper malware found in Ukraine could affect organizations outside the country in the wake of Viper attacks.

“Ukraine is prone to more disruptive cyber attacks against organizations and could inadvertently spread to organizations in other countries,” the CISA and FBI advisory said in a statement.

Other wipers

In a blog post update today, Microsoft said it was also tracking two other strains of malware associated with this dangerous actor behind HermeticWiper. Those malware families were identified on Tuesday by researchers at ESET – “HermeticWizard”, which was described by ESET as a worm used to spread HermeticWiper and “HermeticRansom,” a form of decoy ransomware. (Microsoft refers to HermeticRansom by the name “SonicVote” and is putting HermeticWizard under the FoxBlade umbrella in its naming scheme).

The MSRC blog update adds that Microsoft is aware of Viper malware, dubbed “IsaacWiper” by ESET researchers, and was first released by ESET on Tuesday. IsaacWiper – what Microsoft calls “Lasainraw” – is a “limited destructive malware attack,” says the blog update.

In reference to IsaacWiper / Lasainraw, “Microsoft continues to investigate this incident and does not currently associate it with known threatening activity,” the blog says.

As indicated in the section on hermetic wipers, Microsoft outlines the overall wiper activity in Ukraine as ongoing. The blog update notes that Microsoft “continues to observe destructive malware attacks affecting organizations in Ukraine.”

VentureBeat has reached out to Microsoft to ask if this means the company has seen more recent viper attacks in Ukraine than it has listed in the blog. VentureBeat also asked if Microsoft could say when it last observed the last Viper attack in Ukraine.

Overall, with the Viper cyber attacks in Ukraine, “we evaluate that these attacks are aimed at disruption, degradation and destruction of targeted resources,” says the updated Microsoft Post.

Targeted attacks

The reference to “targeted” attacks on certain resources echoes what Smith said in his post on Monday, when he said that “recent and ongoing cyber attacks [in Ukraine] Have been specifically targeted. He noted that the use of “indiscriminate malware technology”, such as the 2017 Notepad attack, has not been seen so far.

The MSRC blog update does not mention some of the recent cyber attacks in Ukraine that Smith suggested in his Monday post. Smith, for example, cited recent cyber attacks on “agricultural sector, emergency response services” in Ukraine. [and] Humanitarian aid efforts. “The MSRC blog does not appear to provide details on those cyber-attacks, as there is no direct mention of any of the targets being affected by any of the attacks discussed in the post.

The post notes that the “Whispergate” attack on January 13 – the first in a series of devastating malware attacks against Ukrainian institutions – affected some non-profit organizations in Ukraine.

Microsoft does not specifically attribute any of the attacks in the blog update, only stating that “some of these threats are assessed to be more closely linked to nation-state interests, while others appear to be making more opportunistic attempts to take advantage of the surrounding events.” There is a conflict. “

The company said in the update that “we have observed attacks reusing components of known malware that are frequently covered by existing discoveries, while others have used customized malware for which Microsoft has created new comprehensive security,” the company said in the update.

Citing a well-known expert on cyber attacks, The Washington Post and VentureBeat reported on Sunday that data-wiping malware had struck Ukraine’s border control station in earlier days. According to Hypasek CEO Chris Kubeka, the viper attack forced border agents to process refugees fleeing the country with pencil and paper and contributed to the long wait to get to Romania.

The cyber attack on the Ukraine border control station was first reported by the Washington Post. Ukraine’s State Border Guard Service and Ukraine’s security service did not respond to emails inquiring about the attack.

In his blog post on Monday, Smith referred to the international treaty commonly defined as “war crimes”, saying that some of Ukraine’s recent cyber attacks “raise serious concerns under the Geneva Conventions”. The Ukrainian government is a customer of Microsoft, and there are “many other entities” in Ukraine, he noted in the blog.

Venturebeat’s mission Digital Town Square is set to become a place for technical decision makers to gain knowledge about the changing enterprise technology and practices. Learn more

Similar Posts

Leave a Reply

Your email address will not be published.