Security researchers spot another form of wiper malware that was used against Ukraine's networks

Cybersecurity researchers detail wiper malware deployed in attacks against the Ukrainian government just before Russia's invasion.
Written by Danny Palmer, Senior Writer

Another new form of destructive wiper malware has been identified after it was used in attacks against Ukrainian organisations before and during Russia's invasion of Ukraine. 

Researchers at cybesecurity company ESET have detailed malware they've named IsaacWiper, which was used in an attack against a Ukrainian government network just before Russia sent troops into Ukraine. A new version of the malware was launched in additional attacks the next day. 

The discovery of IsaacWiper comes after the discovery of other destructive malware, known as HermeticWiper, being used in cyberattacks against organisations in Ukraine ahead of the invasion. IsaacWiper was used in attacks against a network that was not affected by HermeticWiper. 

SEE: Cybersecurity: Let's get tactical (ZDNet special report)

Researchers note that neither IsaacWiper or HermeticWiper have yet been attributed to any known cyber-threat group, due to lack of significant code similarities with other samples of malware. It's also still currently unknown if there are any links between the two pieces of malware. 

What ESET researchers have identified are details in IsaacWiper's code which suggest that, despite only being used in attacks from February 24th, it has been available since October – meaning it could have been developed months before the attacks against Ukraine and could also have been used in earlier campaigns. 

It's currently unknown how IsaacWiper is delivered to victims' machines, although researchers note that RemCom, a remote access tool, has been deployed at the same time as IsaacWiper malware attacks. It's also suggested that the attackers are finding a way to move laterally around networks in order to spread malware.  

No matter how the malware is spread, it's suspected that the attackers infiltrated the target networks some time before IsaacWiper was delivered. 

"ESET researchers assess with high confidence that the affected organisations were compromised well in advance of the wiper's deployment," said Jean-Ian Boutin, ESET head of threat research. 

The nature of the wiper means it's designed to destroy networks and files, but it's possible that those behind the attacks didn't hit all their targets on the first attempt because attackers dropped a new version of IsaacWiper on 25 February.

ESET suggests that the reason behind this might be that the attackers weren't able to successfully wipe some of the targeted machines and added log messages to understand what happened. 

In an attempt to defend Ukrainian organisations and networks from offensive cyberattacks, the Ukrainian government is calling for volunteers to aid with cybersecurity.  

Cybersecurity agencies around the world have also urged organisations to ensure their networks are protected against potential cyberattacks related to the invasion of Ukraine.  


Editorial standards