Recently, ESET cyber researchers have discovered a new data wiper, named as IsaacWiper, that is being used against an unnamed Ukrainian government network after Russia’s invasion of Ukraine.
After the HermeticWiper attack, the new wiper came to light on 24th February within an organization that was not infected with the HermeticWiper malware (aka KillDisk.NCV), which contaminated hundreds of machines in the country on February 23.
The cybersecurity firms ESET and Broadcom’s Symantec have discovered that the infections followed the DDoS attacks against various Ukrainian websites, including the Cabinet of Ministers, Ministry of Foreign Affairs, and Rada.
“With regard to IsaacWiper, we are currently assessing its links, if any, with HermeticWiper. It is important to note that it was seen in a Ukrainian governmental organization that was not affected by HermeticWiper,” Jean-Ian Boutin, ESET Head of Threat Research, said. In a new blog post, the company stated that the IsaacWiper attack likely “started shortly after the Russian military invasion and hit a Ukrainian governmental network.”
The organization has revealed the technical details of the second attack on 1st March. It said that based on the observations it looks like the attacks were planned for months, though the organization did not name any particular entity or group for the attack.
IsaacWiper and HermeticWiper have no code similarities and the former is less sophisticated than the latter.
Once the network is infected, IsaacWiper starts by enumerating the physical drives and calls DeviceIoControl with the IOCTL IOCTL_STORAGE_GET_DEVICE_NUMBER to get their device numbers.
Then IsaacWiper wipes the first 0x10000 bytes of each disk using the ISAAC pseudorandom generator.
The ESET has published concluded analysis report, saying that “at this point, we have no indication that other countries were targeted. However, due to the current crisis in Ukraine, there is still a risk that the same threat actors will launch further campaigns against countries that back the Ukrainian government or that sanction Russian entity.”