Second data wiper attack hits Ukraine computer networks

wiper-malware-skull

Two cybersecurity firms with a strong business presence in Ukraine—ESET and Broadcom’s Symantec—have reported tonight that computer networks in the country have been hit with a new data-wiping attack.

The attack is taking place as Russian military troops have crossed the border and invaded Ukraine’s territory in what Russian President Putin has described as a “peacekeeping” mission.

Details about the attack are still being collected, and the attack is still going on. It’s scale and the number of impacted systems is still unknown.

New #wiper malware being used in attacks on #Ukraine
1bc44eef75779e3ca1eefb8ff5a64807dbc942b1e4a2672d77b9f6928d292591

— Threat Intelligence (@threatintel) February 23, 2022

Breaking. #ESETResearch discovered a new data wiper malware used in Ukraine today. ESET telemetry shows that it was installed on hundreds of machines in the country. This follows the DDoS attacks against several Ukrainian websites earlier today 1/n

— ESET research (@ESETresearch) February 23, 2022

Tonight’s event marks the second time this year that a data wiper was deployed on Ukrainian government systems after a first attack took place in mid-January.

The deployment of that first malware (named WhisperGate) was hidden under the guise of a fake ransomware outbreak and during a series of coordinated defacements of Ukrainian government websites.

Today’s attack, which ESET said took place around 16:52, Ukraine time, was also accompanied by a series of distributed denial of service (DDoS) attacks against government websites.

Ukrainian government officials have not confirmed or released any details about the ongoing attack.

According to a technical analysis of the malware, which ESET said it was tracking as KillDisk.NCV, the wiper is sometimes deployed via Windows group policies, suggesting the attackers have full control of the entire internal network.

On infected systems, the wiper then runs a version of the EaseUS Partition Master software, a disk partitioning utility, which it uses to corrupt data and then reboot the computer.

According to Silas Cutler, a security researcher for Stairwell, KillDisk.NCV doesn’t just destroy local data, but it also damages the master boot record (MBR) section of a hard drive, which prevents the computer from booting into the operating system after the forced reboot—behavior identical with the WhisperGate malware from last month.

I can confirm this damages a systems MBR. https://t.co/68B0V743lR

— Silas (@silascutler) February 23, 2022

This is a developing story. Updates will follow throughout the day.

The post Second data wiper attack hits Ukraine computer networks appeared first on The Record by Recorded Future.

Article Link: Second data wiper attack hits Ukraine computer networks