Another new form of destructive wiper malware has been identified after it was used in attacks against Ukrainian organisations before and during Russia’s invasion of Ukraine.
Researchers at cybesecurity company ESET have detailed malware they’ve named IsaacWiper, which was used in an attack against a Ukrainian government network just before Russia sent troops into Ukraine. A new version of the malware was launched in additional attacks the next day.
The discovery of IsaacWiper comes after following the discovery of other destructive malware, HermeticWiper, also being used in cyber attacks against organisations in Ukraine ahead of the invasion. IsaacWiper was used in attacks against a network that was not affected by HermeticWiper.
Researchers note that neither IsaacWiper or HermeticWiper have yet been attributed to any known cyber threat group, due to lack of significant code similarities with other samples of malware. It’s also still currently unknown if there are any links between the two pieces of malware.
What ESET researchers have identified, are details in IsaacWiper’s code which suggest that despite only being used in attacks from February 24th, it has been available since October – meaning it could’ve been developed months before the attacks against Ukraine and could also have been used in earlier campaigns.
SEE: Cybersecurity: Let’s get tactical (ZDNet special report)
It’s currently unknown how IsaacWiper is delivered to victim machine, although researchers note that RemCom, a remote access tool, has been deployed at the same time as IsaacWiper malware attacks. It’s also suggested that the attackers are finding a way to move laterally around networks in order to spread malware.
No matter how the malware was spread, it’s suspected that the attackers infiltrated the target networks some time before IsaacWiper was delivered.
“ESET researchers assess with high confidence that the affected organisations were compromised well in advance of the wiper’s deployment,” said Jean-Ian Boutin, ESET head of threat research.
The nature of the wiper means it’s designed to destroy networks and files, but it’s possible that those behind the attacks didn’t hit all their targets on the first attempt, because on 25 February attackers dropped a new version of IsaacWiper.
ESET suggests that the reason behind this might be that the attackers weren’t able to successfully wipe some of the targeted machines and added log messages to understand what happened.
In an attempt to defend Ukrainian organisations and networks from offensive cyber attacks, the Ukrainian government is calling for volunteers to aid with cybersecurity.
Cybersecurity agencies around the world have also urged organisations to ensure their networks are protected against potential cyber attacks related to the invasion of Ukraine.
MORE ON CYBERSECURITY