Lavi Lazarovitz, Head of Security Research, CyberArk Labscommented thewiper attack on Ukraine. The wiper malware, called HermeticWiper, was followed by CyberArk Labs who identified specific characteristics of the malware itself. Some elements, in fact, make the malware truly unique. Let’s see the details.
CyberArk Labs comments on the wiper attack on Ukraine
According to Lazarovitz: “Wiper distribution does not appear to exploit supply chain vulnerabilities or other super-spreading techniques.” As a result, the infection, the expert points out, it will not quickly spread to other geographic areas. According to CyberArk, the ransomware distributed using the Active-Director group policy. This means that the attackers had privileged access to AD.
How the malware is configured
Of note, Lazarovitz points out about the wiper attack against Ukraine, which for the malware seems to be configured to: “keep the domain running and allow the ransomware to use valid credentials to authenticate to servers and encrypt them”. This detail confirms that the attackers use compromised identities to be able to access the network and / or to move sideways.
It should be noted that HermeticWiper is also considered a sensitive threat by the Italian Cybersecurity Agency. The attack that hit computer systems in Ukraine also raises concern due to possible further future attacks. The war, as well as on traditional fronts, is now also fought in a cybernetic way.