Explained | The Hermetic Wiper malware that targeted Ukraine

Several Ukrainian computers and websites faced cyberattacks by a destructive data-wiper malware hours before Russia began its military assault in the country

February 27, 2022 05:54 pm | Updated 05:57 pm IST

Photo used for representational purpose only.

Photo used for representational purpose only. | Photo Credit: Reuters

Even as Ukraine grapples with the military operation launched by Russia on February 24, the country is also being targeted by large-scale cyber attacks targeting government websites, banks, and other users. 

While it cannot be confirmed if Russia is propagating these attacks, experts are convinced that such cyber activities are a part of Russia’s “hybrid warfare”, using a combination of conventional and advanced tactics. It involves non-state and state-backed cyber attacks to remotely target a country’s infrastructure such as financial institutions, government databases, and power grids. The Russian Main Intelligence Directorate or GRU has been accused by the United States of carrying out cyber attacks in the past. 

On February 23, hours before Russia advanced a full-scale military operation into Ukraine, cybersecurity firms Symantec and ESET said that a new and sophisticated strain of a data-wiper malware, dubbed Hermetic Wiper, had been detected in hundreds of computers in Ukraine. 

Also on that day, Ukraine was hit by a distributed denial-of-service or DDoS attack, which caused several of its government and private websites to crash, reported BBC. 

Over a week earlier, on February 15, some 70 Ukrainian government websites and its defence and armed forces networks were hit by similar DDoS attacks, which the U.S. and U.K. pinned on Russian hacking groups. 

What is the Hermetic Wiper malware?

On the night of February 23, the Slovakian cybersecurity company ESET said it had detected the data-wiper malware, which it named Hermetic Wiper, on hundreds of computers in Ukraine. The name is likely derived from the company name Hermetica Digital Ltd, to which the malware’s code signing certificate was issued. 

The data-wiper malware, when downloaded, can erase all the data on a device it targets, in a manner that renders the data irretrievable. 

The malware makes use of the disc or storage management software to corrupt the local data on the device, after which it reboots the computer. It is also capable of attacking data recovery tools on a system and the rebooting system of a hard drive, making it difficult for the device to reboot into its operating system, essentially making it inoperable. 

This malware may also access full control of its target’s internal networks, exposing multiple programs to it. ESET said that in one of the organisations that the wiper targeted, it was dropped into the system using the default Group Policy Object (GPO), meaning it could then access the main server to spread the malware into other devices and programs. 

While ESET said that Hermetic Wiper targeted hundreds of machines in Ukraine, Symantec said it affected a financial institution in the country and its government contractors in Latvia and Lithuania. 

The creation time stamp on the malware said December 28, 2021, indicating that the attack was being planned for quite some time. 

Hermetic Wiper is fairly similar to the WhisperGate malware that Microsoft had detected in several systems in Ukraine in mid-January this year. The malware, though designed to look like ransomware, encrypted all data on a system and also left it inoperable. Unlike ransomware however, it did not have a ‘pay for your data’ or ransom recovery mechanism. 

The current wiper malware is also being considered similar to the highly damaging NotPetya malware attack of 2017, which had affected numerous businesses in Ukraine and had also spread to other countries. It would also encrypt a computer’s data in an irrecoverable fashion. It had caused $10 billion in financial damage globally.

What are DDoS attacks? 

On February 24, Wednesday, a DDoS or distributed denial-of-service attack also hit Ukraine’s largest commercial bank, Privatbank and its government departments, including the Ministry of Defence. 

A DDoS attack essentially floods a website with countless frivolous requests for information, eventually leading it to paralyse or crash. It uses bots to send these queries that bombard the site, leaving it inaccessible to legitimate users. 

Such attacks, in a conflict situation, can damage critical digital infrastructure, disable government communication and the information ecosystem in a country. 

Mykhailo Fedorov, Ukraine’s Minister of Digital Transformation had tweeted referring to Wednesday’s attack: “At about 4pm, another mass DDoS attack on our state began. We have relevant data from a number of banks”. He added that the website of the Ukrainian parliament was also targeted by the attack. The targeted websites, he said, went offline as a result.

Ukraine’s response

Reuters reported that the Ukrainian government is now asking the country’s underground network of hackers to volunteer in its efforts to defend against and retaliate to the cyberattacks it is being targeted with. 

As Russian forces spread their operations, requests started appearing on Ukraine’s digital space, asking hackers to partake in protecting critical infrastructure such as power grids and water networks in the country and also launch cyber espionage missions. 

“Ukrainian cybercommunity! It’s time to get involved in the cyber defense of our country,” an online post read. It asked hackers and cybersecurity experts in the country to submit applications through Google docs, detailing their specialties in areas such as malware development. 

Yegor Aushev, co-founder of Kyiv-based cybersecurity company Cyber Unit Technologies, said that he wrote the post after receiving a request from a senior Defence Ministry official. The company is known to regularly work with the Ukrainian government for defending critical infrastructure.

Besides, after a call for help from Ukraine, the European Union said on February 22 that it is deploying a cyber rapid-response team (CRRT) across Europe consisting of cyber experts from six countries — Lithuania, Croatia, Poland, Estonia, Romania, and the Netherlands — to combat cybersecurity threats.

Australia has also expressed its commitment to aiding Ukraine in strengthening its cyber security measures through a bilateral dialogue on cyber policy.

Top News Today

Sign in to unlock member-only benefits!
  • Access 10 free stories every month
  • Save stories to read later
  • Access to comment on every story
  • Sign-up/manage your newsletter subscriptions with a single click
  • Get notified by email for early access to discounts & offers on our products
Sign in


Comments have to be in English, and in full sentences. They cannot be abusive or personal. Please abide by our community guidelines for posting your comments.

We have migrated to a new commenting platform. If you are already a registered user of The Hindu and logged in, you may continue to engage with our articles. If you do not have an account please register and login to post comments. Users can access their older comments by logging into their accounts on Vuukle.