IsaacWiper and HermeticWizard (aka KillDisk)

Daniel Williams

Feb 28, 2022

Wiper Targets multiple Ukrainian Organizations

· HermeticWiper: makes a system inoperable by corrupting its data

· HermeticWizard: spreads HermeticWiper across a local network via WMI and SMB

· HermeticRansom: ransomware written in Go


On February 23rd, 2022, HermeticWiper targeted multiple Ukrainian organizations. This cyberattack preceded the invasion of Ukraine by Russian Federation forces by a few hours. One confirmed case of the wiper saw it being dropped by Global Policy Object (GPO), and uncovered the worm used to spread the wiper in another compromised network. Malware artifacts suggest that the attacks had been planned for several months. On February 24th, 2022, a second attack against a Ukrainian governmental network started, using a wiper that has been named IsaacWiper. ESET Research has not yet been able to attribute these attacks to a known threat actor.

"At this point, we have no indication that other countries were targeted," the ESET researchers said. "However, due to the current crisis in Ukraine, there is still a risk that the same threat actors will launch further campaigns against countries that back the Ukrainian government or that sanction Russian entities."

CISA and the FBI warned US orgs that the data wiping attacks against Ukraine could accidentally spill over to other countries' networks.