By security practitioners, for security practitioners novacoast federal | Pillr | novacoast | about innovate
By security practitioners, for security practitioners

Cyber Threats Associated with Russia’s Invasion of Ukraine (updated)

UPDATE 3.4.2022 In the nine days since Russia’s invasion of Ukraine began, there has been a noted escalation of cyber threats attributable to the conflict. Four new threats have been observed: HermeticWizard, HermeticRansom, and IsaacWiper, and a spear-phishing campaign dubbed Asylum Ambuscade.

2.24.2022 Timely reports of cyber threats associated with Russian actors are surfacing with the news of the Ukraine invasion. Cyberattacks are thought to be a first wave tool in Russia’s adversarial footing with NATO. This advisory is quick rundown of the different threats we’re aware of at this time. The entire security community is monitoring the situation very closely.

Expect more in-depth advisories as new threats are discovered.

Sandworm, also known as Voodoo Bear, is a threat group with known ties to a Russian special technologies military unit. They’re credited with authoring and deploying a persistent Linux executable malware dubbed Cyclops Blink which targets small/home office networking devices such as firewalls and routers. It appears to be a replacement framework for a previous malware called VPNFilter.

The behavior of the malware is a persistent resident executable which connects to well-obscured C2 hosts, leading analysts to believe the purpose is a widespread botnet capable of espionage or coordinated DDoS.

Thus far Cyclops Blink has only been discovered in Watchguard devices sold since 2019, but the architecture of the Linux malware is such that it can be easily compiled and packaged to target any small Linux based networking device, which most products in the SOHO (small office/home office) category are, including firewalls, routers, and NAS units.

In a joint advisory from CISA, the FBI, and NSA, comprehensive analysis of the malware’s design and behavior are documented, as well as techniques for detection.

Watchguard has prepared a knowledge base article for Cyclops Blink Diagnosis and Remediation of their Firebox device. At this point in time, only Watchguard devices are affected but as mentioned above, the malware could easily be adapted for other devices in this category.

The basic approach to mitigation is to determine if the device has been infected, and if it has, remediate through a process that is performed with physical access to the device. Afterward, upgrade firmware to the latest version to prevent future infection from the botnet.

If a device is infected with Cyclops Blink, assume that any passwords present on the device have been compromised and should be changed ASAP. Additional forensic investigation may be necessary.

HermeticWiper (aka DriveSlayer)

UPDATE CISA has posted an extensive guidance on dealing with HermeticWiper.

A newly discovered malware dubbed HermeticWiper has been observed circulating in Ukrainian organizations. Sentinel Labs reports the malware is delivered using a signed Windows hardware driver and after execution subsequently alters the master boot record of the system volume resulting in boot failure.

The malware is named for the company on the driver’s certificate: “Hermetica Digital Ltd.” It co-opts a seemingly benign partition management driver by EaseUS named empntdrv.sys. According to Sentinel Labs this adds to the difficulty of analyzing HermeticWiper, much of the functionality is deferred to DeviceIoControl calls with specific I/O control codes.

How to mitigate HermeticWiper?

Mitigation of this one is difficult at this time. The vector for introduction of the signed driver is not well known. Searching for IOCs post-infection may not be possible as the malware does its damage quickly after execution.

Currently known IOCs from @EsetResearch:

912342F1C840A42F6B74132F8A7C4FFE7D40FB77 61B25D11392172E587D8DA3045812A66C3385451 Win32/KillDisk.NCV trojan 6/n

MD5: 3f4a16b29f2f0532b7ce3e7656799125
SHA: 1bc44eef75779e3ca1eefb8ff5a64807dbc942b1e4a2672d77b9f6928d292591

3.4.2022 IOCs posted at CISA:

NameFile CategoryFile HashSource
ESET research
HermeticWiperWin32 EXE912342f1c840a42f6b74132f8a7c4ffe7d40fb77SentinelLabs
HermeticWiperWin32 EXE61b25d11392172e587d8da3045812a66c3385451SentinelLabs
RCDATA_DRV_XP_X86 ms-compressedeb845b7a16ed82bd248e395d9852f467SentinelLabs
Trojan.KilldiskTrojan.Killdisk 1bc44eef75779e3ca1eefb8ff5a64807dbc942b1e4a2672d77b9f6928d292591Symantec Threat Hunter Team
Trojan.KilldiskTrojan.Killdisk0385eeab00e946a302b24a91dea4187c1210597b8e17cd9e2230450f5ece21da Symantec Threat Hunter Team
Trojan.KilldiskTrojan.Killdiska64c3e0522fad787b95bfb6a30c3aed1b5786e69e88e023c062ec7e5cebf4d3eSymantec Threat Hunter Team
RansomwareTrojan.Killdisk4dc13bb83a16d4ff9865a51b3e4d24112327c526c1392e14d56f20d6f4eaf382Symantec Threat Hunter Team
IOCs associated with HermeticWIper. Source:


NEW Over the course of their research into the HermeticWiper malware, security researchers were further able to discover the use of HermeticWizard, a computer worm assessed to be used for Lateral Movement across networks. While precise details are still sparse on how exactly HermeticWizard was introduced to victim networks, it is known to utilize WMI and SMB to traverse networks.

How to mitigate HermeticWizard

When HermeticWizard finds a reachable machine, it will drop a WMI spreader onto the disk and create a new process. At this time, HermeticWizard is still using the same signed certificate as HermeticWiper, making some of the detection for this less complicated. In addition, the use of the following commands, while not inherently suspicious, may be able to better discern anomalous activity on the network associated with HermeticWizard.


Additionally, while HermeticWizard scans in a random pattern to prevent fingerprinting via that method, it is known to attempt connection with potential victims via the following ports. For SMB, it will utilize port 445 and attempt to connect to the following pipes.

PortSMB Pipe
20: ftpsamr
21: ftpbrowser
22: sshnetlogon
80: httplsarpc
135: rpcntsvcs
137: netbiossvcctl
139: smb 
443: https 
445: smb 

Known Indicators of Compromise 3.4.2022


HermeticRansom (aka PartyTicket Ransomware)

NEW While deployed in far fewer numbers than the mainline HermeticWiper, HermeticRansom was discovered on at least some Ukrainian machines at the same time as the wiper malware. Assessed to likely be a distraction from the main offensive, HermeticRansom shows several indicators of being rushed in development. Specifically, due to errors in the precise mechanisms of encryption, it is possible to reverse the encryption, with Avast providing a free decryptor. In addition, it bears several political references to the sitting US president and administration, but the implications of this are unknown.

How to mitigate HermeticRansom?

While again the precise delivery method is unknown, HermeticRansom is ultimately the same as many ransomware payloads. To that end, it utilizes the “.encryptedJB” file extension, and while it does encrypt the first 9.44MB of every file, the flaws in its methodology mean that decryptors already exist. This sort of relatively sloppy activity is further reflected in the way several other portions of the malware operate, effectively reducing the potential damage that this payload could cause.

Known Indicators of Compromise 3.4.2022



Another malware attack almost identical in nature to HermeticWiper was identified and published by the Microsoft Threat Intelligence Center in mid January. Dubbed WhisperGate, it masquerades as ransomware but does not actually have a recovery mechanism. Similar to HermeticWiper, it overwrites the MBR upon system shutdown, destroying data. This is atypical of criminal ransomware which are intended to be profitable for the actors. Instead, these destructive malware types are thought to be primarily intended to disrupt and degrade capabilities.

Microsoft recommends the following actions for customers or administrators of Windows systems to mitigate WhisperGate:

  • Use the included indicators of compromise to investigate whether they exist in your environment and assess for potential intrusion.
  • Review all authentication activity for remote access infrastructure, with a particular focus on accounts configured with single factor authentication, to confirm authenticity and investigate any anomalous activity.
  • Enable multifactor authentication (MFA) to mitigate potentially compromised credentials and ensure that MFA is enforced for all remote connectivity.  NOTE: Microsoft strongly encourages all customers download and use password-less solutions like Microsoft Authenticator to secure accounts.
  • Enable Controlled folder Access (CFA) in Microsoft Defender for Endpoint to prevent MBR/VBR modification.
a196c6b8ffcb97ffb276d04f354696e2391311db3841ae16c8c9f56f36a38e92SHA-256Hash of destructive malware stage1.exe
dcbbae5a1c61dbbbb7dcd6dc5dd1eb1169f5329958d38b58c3fd9384081c9b78SHA-256Hash of stage2.exe
cmd.exe /Q /c start c:\stage1.exe 1> \\\ADMIN$\__[TIMESTAMP] 2>&1Command lineExample Impacket command line showing the execution of the destructive malware. The working directory has varied in observed intrusions.


NEW ESET researchers discovered the use of another variant of wiper malware against an unspecified Ukranian government network. Dubbed IsaacWiper, details are unfortunately rather sparse, other than to say that it is unlike any other known malware samples at the time of analysis (25 February).

How to Mitigate IsaacWiper
While the initial access vector is still not known, ESET suggests that attacker utilized Impacket for lateral movement. In a few other cases, they observed the use of RemCom, a remote access tool, being deployed at the same time as IsaacWiper.

Known Indicators of Compromise 3.4.2022


Asylum Ambuscade Spear-Phishing Campaign

NEW Leading email security firm Proofpoint has identified a spear-phishing campaign that utilizes the compromised account of a Ukrainian service member and targets European officials involved with the logistics of assisting refugees fleeing Ukraine.

The “Asylum Ambuscade” campaign email includes a malicious macro attachment which attempts to download a Lua-based malware dubbed “SunSeed.”

The email utilized the subject “IN ACCORDANCE WITH THE DECISION OF THE EMERGENCY MEETING OF THE SECURITY COUNCIL OF UKRAINE DATED 24.02.2022” and included a macro enabled XLS file titled “list of persons.xlsx,” which was later determined to deliver SunSeed malware. The social engineering lure utilized in this phishing campaign were very timely, following a NATO Security Council meeting on February 23, 2022 and a news story about a Russian government “kill list” targeting Ukrainians that began circulating in Western media outlets on February 21, 2022.

Proofpoint researchers

More details on the delivery and payload of the malware-laden phishing campaign as well as filter key terms can be found in the Proofpoint blog post.

Looking forward

The threat landscape as it relates to increased activity by Russian operators is evolving rapidly. The currently known threats appear intended to disrupt and degrade Ukrainian services and capabilities. Cybersecurity intelligence analysts anticipate continued escalating activity as a part of invasion tactics and potentially actions against NATO member nations.

CISA has compiled a comprehensive guide on Understanding and Mitigating Russian State-Sponsored Cyber Threats to U.S. Critical Infrastructure that should be required reading for security practitioners at this time.

Innovate Cybersecurity is on heightened awareness for new intel and will compile and report it as it arrives. Users and administrators should exercise additional prudence and vigilance with cybersecurity best practices and monitoring of network activity.


Previous Post

Going Upstream in Search of Secure Linux

Next Post

Pillr Catches Russian Actors Utilizing Google Ad Delivery Network to Establish Browser Connections

Innovate uses cookies to give you the best online experience. If you continue to use this site, you agree to the use of cookies. Please see our privacy policy for details.