The Canadian Center for Cyber Security sent a public alert friday saying that the center has become aware of a new disruptive malware, named HermeticWiper, targeting Ukrainian organizations.
The alert, which is being released to raise awareness, comes after the malware, or malicious software, was discovered in Ukraine on Wednesday.
Reuters reported that the malware affected hundreds of computers, according to researchers from Ukrainian cybersecurity firm ESET. Suspicion has fallen on Russia, which has been repeatedly accused of hacking Ukraine and other countries. The victims included government agencies and a financial institution, but no further details were provided.
Ukraine calls on cyber community to defend against Russian attacks
According to the Canadian Center for Cyber Security, HermeticWiper “abuses a benign driver to corrupt the Master Boot Record (MBR) of each physical disk and disk partition to render the victimized system inoperable after machine shutdown.”
HermeticWiper also “modifies several registry keys to disable system crash dumps”.
In a nutshell, says ethical hacker and CEO of Cyology Terry Cutler, this new malware essentially continues to “wipe out any government agency or company data” making it unrecoverable.
Difference between HermaticWiper and Ransomware
Ransomeware is a commonly known type of malware. What differentiates HermeticWiper from regular malware is how it affects and uses data.
According to Cutler, when ransomware enters a computer, it gains access to usernames and passwords and works its way through the system.
“It’s trying to get a foothold, and once it reaches what’s called domain administrative credentials…computers are locked down and their data becomes completely unusable and scrambled until you pay a ransom,” Cutler explained in an interview with Global News.
Canada provides cyber “support” to Ukraine against Russian invasion. Here’s what we know
The HermaticWiper, on the other hand, “turns off and instead of doing the ransomware thing where it locks the data, it actually wipes the whole place, which is much harder to recover,” Cutler said.
EU foreign minister says he asked China to ‘use its influence’ on Russia amid invasion
In one document prepared by the Congressional Research Service (CRS) In early February this year, the CRS explained that Russia maintains a number of cyber units that “carry out disinformation, propaganda, espionage and destructive cyberattacks on a global scale”.
CRS said that according to government reports, Russia’s early cyber operations consisted primarily of distributed denial-of-service (DDoS) attacks and often relied on the recruitment of criminal and civilian hackers.
Cutler explained that a DDoS attack is a cyber attack aimed at disrupting the normal traffic of a targeted server, service or network by overwhelming the target or its surrounding infrastructure with a flood of Internet traffic.
READ MORE: Ukraine says ‘full-scale invasion’ by Russia underway as Putin orders military attack
He said DDoS often act as a diversion.
British Columbia removes Russian products from government liquor stores
Ukrainian military says Kiev held after hours of nighttime fighting with Russian forces
“You’ll think they’re attacking your website, but in fact they’re attacking your databases or other sensitive information,” Cutler said.
When that happens, he said IT will see a huge spike in internet traffic to their firewalls. They will also get a ton of calls from their users who cannot log in to use the services as well.
Cutler said Russia’s cyber warfare units have the “playbooks to stay undetected for as long as possible.”
“They’re trying to make their way into what’s called critical infrastructure. They want to get into your power grid, your water supply, your telephone, your internet service providers… If it ever came down to World War III, it might not be fought with bombs anymore. It’s going to be fought with cyberattacks,” Cutler said.
Ukraine has been subject to a constant barrage of Russian aggression in cyberspace since 2014, when Russia annexed the Crimean peninsula and backed separatists in eastern Ukraine.
Massive Russian drill in fall was rehearsal to invade Baltic states: report
In 2007, Estonia was also the target of a large-scale cyberattack, which most observers blamed on Russia. Estonian targets ranged from online banking and media to government websites and email services.
Russia used DDoS attacks again in its 2008 war with Georgia. Although Russia has denied responsibility, Georgia was the victim of a large-scale cyberattack that matched Russian military actions.
Russian-Ukrainian conflict: EU sanctions Putin and Foreign Minister Lavrov
How to stop this new malware
The HermiticWiper only works because it’s new. If it was old, then the existing countermeasures would have been found and it would have been stopped, says Eric Parent, CEO and founder of EVA technologies, which specializes in cybersecurity and cyberterrorism.
Parent says that once HermeticWiper “blows up and breaks things,” there will be different people and entities, like antivirus and emergency response companies, studying it.
“The good part is that (after we understand how it works) we can see how to protect ourselves against it,” Parent said. “The downside is that all the wrong people can also watch it and figure out how it works too.”
READ MORE: Russian cyber threat heightens tensions in Ukraine as invasion concerns rise
He said that over time, criminals could figure out how HermeticWiper works and use it on someone else.
In the meantime, as Russia continues its invasion of Ukraine, Parent says he expects to see more cyberattacks in the coming days and weeks, even in Canada, and they will be a little different.
“We’ve always had it…but we’re just going to have a little more…and there will be a little more focused effort,” Parent said.
Russian-Ukrainian Conflict: White House Says US Will Sanction Vladimir Putin, Sergei Lavrov and Others
Are Canadian companies at risk?
A cybersecurity expert says Canadian businesses risk being the target of online attacks if Russia chooses to retaliate against government sanctions.
Karim Hijazi, founder and CEO of Texas-based cyberintelligence firm Prevailion, says Canadian companies could fall victim to bad actors trying to compromise critical infrastructure and government entities.
He says that might be the likely approach because government, critical infrastructure and the private sector are so intertwined and easily accessible.
Hijazi also says that the harmful malware that Russia could activate is already in Canada.
READ MORE: Explosions rock Kyiv as Ukrainian capital braces for Russian assault
A spokesperson for the Communications Security Establishment (CSE) confirmed to The Canadian Press that the federal government agency monitors cyber threats targeting the finance, energy and telecommunications sectors.
CSE encourages all critical infrastructure sectors in Canada to monitor the increase in cyber threat activity.
Parent said Russia would retaliate against countries that impose sanctions on it through cyberattacks because “it’s too easy to do that.”
“If they find something they can break, meaning on Canadian soil or American soil, they will.”
— with files from The Canadian Press, The Associated Press and Reuters
© 2022 Global News, a division of Corus Entertainment Inc.