Digital sleuths track clues in hacks on Ukrainian government, banks

NEW YORK/LONDON (BLOOMBERG, REUTERS) - As missiles landed in Ukraine last Thursday morning (Feb 24), the country's cyber-security defenders were already hard at work. Prior to the Russian military invasion, hackers had launched a series of attacks aimed at disrupting Ukrainian government websites as well as banking, defence, and aviation services.

Ukraine's State Service of Special Communication and Information Protection said it had observed last Wednesday phishing attacks on public authorities and critical infrastructure, as well as attempts to penetrate private sector networks.

It said it had "unambiguously" identified Russian special services as being behind some of the efforts. Specialists working for Ukraine's government worked overnight to assist some of the affected companies and government departments, according to two people involved in the work.

Researchers at the cyber-security firm ESET said they identified more than three Ukrainian organisations that were targeted lats Wednesday with a destructive malware, named "HermeticWiper", designed to corrupt computers and render them inoperable. The malware had infected a few hundred computers at those organisations, according to Mr Jean-Ian Boutin, ESET's head of threat research.

"This was not a widespread attack. They pinpointed specific organisations and then went in and deployed the malware," said Mr Boutin, who declined to name the specific organisations affected. "The fact that this happened a few hours before the full-scale invasion, it leads us to believe these organisations were targeted for a reason."

The hacking tool is also capable of wiping data from affected devices, a similar capability to hacking tools that Microsoft detected in malware used against Ukrainian agencies in January.

Researchers at Symantec, a division of Broadcom Software, said that they had identified HermeticWiper malware last Wednesday targeting organisations in the financial, defence, aviation, and IT services sectors. In some cases, they said, hackers had simultaneously deployed ransomware on computers to trick victims into believing they were being extorted by criminals, when in fact the only goal was to sabotage computers.

Mr Vikram Thakur, technical director at Symantec, said the company had identified three organisations that were hacked. One organisation in Ukraine had about 50 computers infected with the destructive malware, he said. Two companies in Latvia and Lithuania - each with strong links to Ukraine and its government - had dozens of their computers breached.

There were signs the attacks had been planned several months ago, Mr Thakur said.

Evidence suggested the Lithuanian organisation had been hacked in November 2021, he said, meaning the hackers may have been waiting patiently inside its systems to activate their malware in a coordinated attack.

"The service that these organisations provide is of high value to the Ukrainian government," Mr Thakur said. "Targeting them is probably intended to cause longer-term disruption."

The malware's code was digitally signed with a certificate issued last year to a company named Hermetica Digital, according to several cyber-security companies including ESET and Symantec. The firm shares a registered office in Nicosia, Cyprus with an art and cakes business, according to company records.

Mr Polis Trachonitis, a 24-year-old video game designer who runs Hermetica Digital, told Reuters he had nothing to do with the attack. He said he never sought a digital certificate and had no idea one had been issued to his firm.

He said his role in the video game industry is just to write the text for games that others put together.

"I don't even write the code - I write stories," he said, adding that he was unaware of the connection between his firm and the Russian invasion until he was told by a Reuters reporter last Thursday morning.

"I'm just a Cypriot guy... I have no link to Russia."

Cyber spies routinely steal random strangers' identities to rent server space, or register malicious websites.

The Hermetica Digital certificate was issued in April 2021, but the time stamp on the malicious code itself was Dec 28, 2021.

ESET researchers said in a blog post that those dates suggested that "the attack may have been in the works for some time".

If, as is widely assumed by cyber-security experts and US defence officials, the attacks were carried out by Russians, then the time stamps are potentially significant data points for observers hoping to understand when the plan for the invasion of Ukraine came together.

Mr Thakur said he believed the company's code signing certificate may have been leaked or stolen as it had previously been used to sign other files, almost all of which were unrelated to the hacking campaign in Ukraine.

ESET's Mr Boutin said there were various ways in which a malicious actor could fraudulently obtain a code signing certificate.

"They can obviously obtain it themselves, but they can also buy it in the black market," Mr Boutin said.

"As such, it is possible that the operation dates back further than we previously knew, but it is also possible that the threat actor acquired this code signing certificate recently, just for this campaign."

Researchers at cyber-security firm SentinelOne wrote in a blog post that it was possible that the attackers had "used a shell company or appropriated a defunct company to issue this digital certificate".

Mr Ben Read, director of cyber espionage analysis at Mandiant, said it was possible that a group could "impersonate a company in communications with a digital cert providing company and get a legitimate cert fraudulently issued to them".

Some cyber-security experts said the malware was basic and unsophisticated, which they warned could be a sign that worse is yet to come.

"As a nation-state sponsored group you don't always want to use your heaviest machinery at first," said Mr Amit Serper, director of security research at Akamai Technologies. "If all you want to do is corrupt some drives and make computers not work, there is no need to use the best weapons in your arsenal. Something quick and dirty that gets the job done will have the same effect."

"It is quite an ominous sign," said Mr Serper. "But they are already bombarding buildings with rockets. So some malware that corrupts computers is maybe not the most ominous thing that is going on here."

The Russian government has consistently denied involvement in malicious cyber activity.