Russia | Ukraine: Cyber Attacks

February 25, 2022 · u145 · 4 min read

What is unfolding between Russia and Ukraine on the military front is finding direct correspondence in cyberspace. In the weeks preceding active military operations, we observed multiple cyber attacks targeting Ukrainian companies and government institutions.

The attack types identified to date fall into three categories:

DDoS attacks — aimed at taking Ukrainian institutional websites and portals offline
Ransomware and Wiper attacks — designed to destroy and sabotage infrastructure (HermeticWiper and PartyTicket)
Malware / Spyware / Trojan attacks — targeting infrastructure access (no public attribution confirmed at this time)

Over the past several years, offensive groups associated with the Russian government have demonstrated consistent proficiency across the following ATT&CK tactics:

Tactic	Procedures
Initial Access	Office 365 Brute Force (`T1110`) VPN Exploitation Spearphishing Email (`T1566.001`)
Credential Access	`ntds.dit` dump from Domain Controller (`T1003.003`)
Discovery	BloodHound (`T1069`, `T1087`)

Russia — Intelligence and APT Groups
Public Information on the Wiper
Attack Dynamics
HermeticWiper — Details
Indicators of Compromise
References

Russia — Intelligence and APT Groups

Public Information on the Wiper

The wiper’s name derives from the code-signing certificate used by the threat actor to build the executable. The certificate was issued to Hermetica Digital Ltd — a shell company or defunct entity. The certificate was revoked following the first public malware analysis reports:

*Revoked signature detail in a HermeticWiper sample*

Attack Dynamics

The wiper was deployed into target infrastructures via a GPO (Group Policy Object) pushed from a Domain Controller — distributing the malicious payload to both servers and workstations simultaneously (T1484.001 — Group Policy Modification).

This deployment method presupposes prior persistent access to the environment, obtained through one of the following vectors:

Trojan implant (T1059)
VPN credential abuse (T1078)
Perimeter system vulnerability exploitation (T1190)

In several incidents, deployment of the PartyTicket Ransomware was observed alongside the wiper — high-confidence assessment based on public sample analysis.

HermeticWiper — Details

The earliest samples of this wiper were identified on the afternoon of 2022-02-23. However, the file compilation timestamp traces back to 2021-12-28 — the probable date of tooling production, indicating pre-planned operational preparation.

The malware’s primary function is to overwrite the first 512 bytes of the Master Boot Record (MBR) on all connected storage devices, preventing system boot after shutdown (T1561.002 — Disk Structure Wipe).

The malware temporarily installs a system driver and service, and modifies registry keys — for example, setting SYSTEM\CurrentControlSet\Control\CrashControl CrashDumpEnabled to 0 to disable crash dumps prior to driver execution (T1112 — Modify Registry).

The driver leveraged (empntdrv.sys) is sourced from EaseUS Partition Manager — legitimate software abused to enumerate partition information and initiate wiping operations (T1553.002 — Code Signing, legitimate driver abuse).

Indicators of Compromise

HermeticWiper	Hash
Win32 EXE	MD5: `84ba0197920fd3e2b7dfa719fee09d2f` SHA1: `912342f1c840a42f6b74132f8a7c4ffe7d40fb77` SHA256: `0385eeab00e946a302b24a91dea4187c1210597b8e17cd9e2230450f5ece21da`
Win32 EXE	MD5: `3f4a16b29f2f0532b7ce3e7656799125` SHA1: `61b25d11392172e587d8da3045812a66c3385451` SHA256: `1bc44eef75779e3ca1eefb8ff5a64807dbc942b1e4a2672d77b9f6928d292591`

ms-compressed drivers	MD5
RCDATA_DRV_X64	`a952e288a1ead66490b3275a807f52e5`
RCDATA_DRV_X86	`231b3385ac17e41c5bb1b1fcb59599c4`
RCDATA_DRV_XP_X64	`095a1678021b034903c85dd5acb447ad`
RCDATA_DRV_XP_X86	`eb845b7a16ed82bd248e395d9852f467`

Trojan.Killdisk	SHA256: `a64c3e0522fad787b95bfb6a30c3aed1b5786e69e88e023c062ec7e5cebf4d3e`
Ransomware (PartyTicket)	SHA256: `4dc13bb83a16d4ff9865a51b3e4d24112327c526c1392e14d56f20d6f4eaf382`

References

Pre-positioned wiper tooling with a six-week lead time between compilation and deployment confirms that destructive capability in state-sponsored operations is prepared in advance of the kinetic trigger.

Cookie	Duration	Description
VISITOR_INFO1_LIVE	5 months 27 days	A cookie set by YouTube to measure bandwidth that determines whether the user gets the new or old player interface.
YSC	session	YSC cookie is set by Youtube and is used to track the views of embedded videos on Youtube pages.
yt-remote-connected-devices	never	YouTube sets this cookie to store the video preferences of the user using embedded YouTube video.
yt-remote-device-id	never	YouTube sets this cookie to store the video preferences of the user using embedded YouTube video.
yt.innertube::nextId	never	This cookie, set by YouTube, registers a unique ID to store data on what videos from YouTube the user has seen.
yt.innertube::requests	never	This cookie, set by YouTube, registers a unique ID to store data on what videos from YouTube the user has seen.

Contents