Cybersecurity researchers from the Microsoft Threat Intelligence Center (MSTIC) noticed that companies in Ukraine and Poland were affected by two separate attacks: one deployed a disk cleaning utility called HermeticWiper, and the other ransomware called Prestige.
“Despite the use of similar implementation techniques, [Prestige] the campaign differs from the recent destructive exploitation attacks […] Foxblade (HermeticWiper), which influenced many critical infrastructure organizations in Ukraine in the last two weeks, ‘the researchers explain.
“MSTIC has not bundled this ransomware yet (opens in a new tab) campaign against a known group of threats and continues the investigation. “
Links to Russia
In some cases, the victim companies overlap, but Microsoft researchers are not yet convinced that it is all the work of the same cybercriminal.
For now, Microsoft is tracking the groups as DEV-0960, the usual label for cybercriminals whose identities have yet to be revealed.
However, there is vague evidence that the attackers have ties to the Kremlin, as HermeticWiper was first sighted in the wild the day before the invasion of Ukraine and – against Ukrainian entities.
Researchers do not really know how the attackers managed to hack the target networks and whether it contained any malware. They know that they used two remote execution tools (RemoteExec and Imppacket WMIexec) to control attacked endpoints.
“The threat landscape in Ukraine is still evolving and wipers and destructive attacks are a constant topic,” Microsoft said. “The ransomware and wiper attack relies on many of the same security weaknesses to be successful.”
Endpoint and anti-ransomware solutions may offer some damage mitigation for this new threat.
By: Register (opens in a new tab)