>
Cybersecurity researchers at Microsoft Threat Intelligence Center (MSTIC) found that businesses in Ukraine and Poland were hit by two separate attacks: one deployed a disk wiper called HermeticWiper, while the other deployed a ransomware called Prestige.
“Despite using similar implementation techniques, [Prestige] campaign differs from recent destructive attacks that use […] Foxblade (HermeticWiper) that have hit multiple critical infrastructure organizations in Ukraine in the past two weeks,” the researchers explained.
“MSTIC has not yet linked this ransomware (opens in new tab) campaign to a known threat group and continue the investigation.”
Links to Russia
In some cases, the victim companies overlap, but Microsoft’s researchers are not yet convinced that all of this is the work of the same threat actor.
For now, Microsoft is tracking the group(s) as DEV-0960, the usual label for threat actors whose identities have not yet been revealed.
However, there is tangible evidence that the attackers have connections to the Kremlin, as HermeticWiper was first sighted in the wild a day before the invasion of Ukraine and against Ukrainian entities.
The researchers don’t really know how the attackers managed to penetrate the target networks or whether there was malware or not. What they do know is that they used two remote execution tools (RemoteExec and Impacket WMIexec) to monitor the compromised endpoints.
“The threat landscape in Ukraine continues to evolve and wipers and destructive attacks have been a consistent theme,” Microsoft said. “Ransomware and wiper attacks depend on many of the same security vulnerabilities to succeed.”
Endpoint security solutions and ransomware protection software can provide some damage mitigation against this new threat.
Through: The register (opens in new tab)