The Russian offensive against Ukraine tonight is not just happening on the ground or in the air. Cyberattacks intensified at the same time, including the installation of a data eraser on hundreds of Ukrainian computer systems.
Long before Russia officially declared war on Ukraine, tonight from Wednesday to Thursday, February 24, 2022, the country was already the target of high profile computer attacks last month. A few days later we also learned that they were even more serious than expected. Last Wednesday, another wave of cyberattacks was revealed, against the websites of the Ukrainian Ministry of Defense and the military, as well as the country’s very large banks.
Logically – as much as unfortunately – the situation has not improved, quite the contrary. This Wednesday, the websites of the Ukrainian government, the Ministry of Foreign Affairs and Homeland Security were targeted by attacks including denial of service (DDoS). The tension is high, according to ESET, hundreds of computer systems have been infected with Windows data erasers (wipers).
MBR corruption too
These wipers are apparently cryptographically signed with a legitimate, presumably stolen, developer’s certificate to fool antivirus tools and users. According to the publisher, the malware uses the drivers of a partitioning program to corrupt storage devices and destroy files on infected systems. According to the vendor, the most likely initial vector of compromise is Active Directory. Located in the Windows directories (Win32/KillDisk.NCV), these wipers would erase not only the files of the drive, but also the boot area of the hard disks (MBR for master boot record), making booting and data recovery difficult or even impossible.
ESET is not the only vendor to have identified an upsurge in cyberattacks against Ukraine. This is also the case of Symantec, which told Reuters that infections have also been recorded in Latvia and Lithuania.