Tech News

Tech Business News

  • Home
  • Technology
  • Business
  • News
    • Technology News
    • Local Tech News
    • World Tech News
    • General News
    • News Stories
  • Media Releases
    • Tech Media Releases
    • General Media Releases
  • Advertisers
    • Advertiser Content
    • Promoted Content
    • Sponsored Whitepapers
    • Advertising Options
  • Cyber
  • Reports
  • People
  • Science
  • Articles
    • Opinion
    • Digital Marketing
    • Gaming
    • Guest Publishers
  • About
    • Tech Business News
    • News Contributions -Submit
    • Journalist Application
    • Contact Us
Reading: Ukraine hit by destructive attacks before and during the Russian invasion
Share
Font ResizerAa
Tech Business NewsTech Business News
  • Home
  • Technology News
  • Business News
  • News Stories
  • General News
  • World News
  • Media Releases
Search
  • News
    • Technology News
    • Business News
    • Local News
    • News Stories
    • General News
    • World News
    • Global News
  • Media Releases
    • Tech Media Releases
    • General Press
  • Categories
    • Crypto News
    • Cyber
    • Digital Marketing
    • Education
    • Gadgets
    • Technology
    • Guest Publishers
    • IT Security
    • People In Technology
    • Reports
    • Science
    • Software
    • Stock Market
  • Promoted Content
    • Advertisers
    • Promoted
    • Sponsored Whitepapers
  • Contact & About
    • Contact Information
    • About Tech Business News
    • News Contributions & Submissions
Follow US
© 2022 Tech Business News- Australian Technology News. All Rights Reserved.
Tech Business News > Cyber > Ukraine hit by destructive attacks before and during the Russian invasion
Cyber

Ukraine hit by destructive attacks before and during the Russian invasion

Editorial Desk
Last updated: March 2, 2022 6:43 pm
Editorial Desk
Share
SHARE

A second wiping attack via IsaacWiper started shortly after the Russian military invasion and hit a Ukrainian governmental network

  • On February 23, a destructive campaign using HermeticWiper (along with HermeticWizard and HermeticRansom) targeted multiple Ukrainian organisations. This cyberattack preceded the start of the Russian invasion of Ukraine by a few hours.

  • HermeticWiper wipes itself from disk by overwriting its own file with random bytes. This anti-forensic measure is likely intended to prevent the analysis of the wiper in a post-incident analysis.

  • HermeticWiper is propagated inside compromised local networks by a custom worm we named HermeticWizard.

  • On February 24, a second destructive attack against a Ukrainian governmental network started, using a wiper ESET has named IsaacWiper.
  • On February 25, attackers dropped a new version of IsaacWiper with debug logs, which may indicate they were unable to wipe some of the targeted machines.

  • Malware artifacts suggest that the attacks had been planned for several months.

  • ESET Research has not yet been able to attribute these attacks to a known threat actor.

As the Russian invasion was starting in Ukraine, ESET researchers discovered two new wiper malware families targeting Ukrainian organisations.

The first cyberattack started a few hours prior to the Russian military invasion as ESET Research reported on its Twitter account, and after the distributed denial-of-service (DDoS) attacks against major Ukrainian websites earlier that day.

These destructive attacks leveraged at least three components: HermeticWiper for wiping the data, HermeticWizard for spreading on the local network, and HermeticRansom acting as a decoy ransomware. Malware artifacts suggest that the attacks had been planned for several months.

As the Russian invasion started, a second destructive attack against a Ukrainian governmental network started, using a wiper that ESET Research has named IsaacWiper.

“With regard to IsaacWiper, we are currently assessing its links, if any, with HermeticWiper. It is important to note that it was seen in a Ukrainian governmental organisation that was not affected by HermeticWiper,” says ESET Head of Threat Research Jean-Ian Boutin.

ESET researchers assess with high confidence that the affected organizations were compromised well in advance of the wiper’s deployment.

“This is based on several facts: the HermeticWiper PE compilation timestamps, the oldest being December 28, 2021; the code-signing certificate issue date of April 13, 2021; and the deployment of HermeticWiper through the default domain policy in at least one instance, suggesting the attackers had prior access to one of that victim’s Active Directory servers,” says Boutin.

IsaacWiper appeared in ESET  telemetry on February 24. The oldest PE compilation timestamp found was October 19, 2021, meaning that if its PE compilation timestamp was not tampered with, IsaacWiper might have been used in previous operations months earlier.

In the case of HermeticWiper, ESET has observed artifacts of lateral movement inside the targeted organisations and that the attackers likely took control of an Active Directory server.

A custom worm that ESET researchers named HermeticWizard was used to spread the wiper across the compromised networks. For the second wiper – IsaacWiper – the attackers used RemCom, a remote access tool, and possibly Impacket for movement inside the network.

Furthermore, HermeticWiper wipes itself from disk by overwriting its own file with random bytes. This anti-forensic measure is likely intended to prevent the analysis of the wiper in a post-incident analysis. The decoy ransomware HermeticRansom was deployed at the same time as HermeticWiper, potentially in order to hide the wiper’s actions.

Just a day after the deployment of IsaacWiper, attackers dropped a new version with debug logs. This may indicate that the attackers were unable to wipe some of the targeted machines and added log messages to understand what was happening.

ESET Research has not yet been able to attribute these attacks to a known threat actor due to the lack of any significant code similarity with other samples in the ESET malware collection.

The term “Hermetic” is derived from Hermetica Digital Ltd, a Cypriot company to which the code-signing certificate was issued.

According to a report by Reuters, it seems that this certificate was not stolen from Hermetica Digital. Instead, it is likely that the attackers impersonated the Cypriot company in order to get this certificate from DigiCert.

ESET Research requested the issuing company DigiCert to revoke the certificate immediately.

Timeline of important events

Media release approved by ESET Research

ByEditorial Desk
The TBN team is a well establish group of technology industry professionals with backgrounds in IT Systems, Business Communications and Journalism.
Previous Article Coinfund Apex CoinFund partners with Apex and Nori to move towards a more environmentally conscious web3
Next Article ASX200 Email fraud More than three quarters of ASX 200 companies are failing to properly block fraudulent emails
Leave a Comment

Leave a Reply Cancel reply

You must be logged in to post a comment.

Cyber Attack Data Russia

Tech Articles

Why your nbn evening speeds slow down

Why Your NBN Slows Down at Night — And How To Find the Real Cause

NBN slow at night? ACCC data shows why evening speeds…

July 2, 2026
The Growing Crisis of Space junk and Debris

Space Junk Is Becoming One of the Biggest Threats to Modern Spaceflight

More than 33,000 tracked objects now orbit Earth at speeds…

May 8, 2026
Your Phone Is Spying on You and tracking location

Your Phone Is Spying on You — Here’s How to Stop It

Your phone is spying, tracking your location, searches, app activity,…

July 11, 2026

Recent News

APIs become top target for cybercriminals with over 40,000 incidents in early 2025
Cyber

Cybercriminals Launch Over 40,000 API Attacks in Six Months

5 Min Read
Claroty Introduces Claire, Industry’s First CPS-Native AI Security Agent
Cyber

AI Is Increasing Critical Infrastructure Risks Faster Than Security Teams Can Respond

6 Min Read
UNICEF Australia provides comments on child safety online -  John Livingstone,
Cyber

UNICEF Australia Responds To New eSafety Report On Child Sexual Abuse Online

4 Min Read
Tech News - Australian telcos cyber risk program Clare O’Neil
Cyber

Australian Telco’s Required To Sign Off On New Cyber Risk Management Program

2 Min Read
Tech News - Technology Business

Tech Business News

In 2026, technology news is shaping business outcomes faster than ever—driven by AI adoption, rising cyber risk, cloud modernisation, data regulation, and constant platform change.
 
Tech News keeps Australian organisations and industry professionals informed with timely reporting and practical coverage across AI, cybersecurity, cloud, enterprise IT, startups, science, people and business, plus major world and local news impacting the tech sector.
 
Tech Business News publishes news and analysis designed to be clear, relevant, and easy to act on. It supports the industry with technology news reports, whitepaper publishing services, and a range of media, advertising and publishing options 

About

About Us 
Contact Us 
Privacy Policy
Copyright Policy
Terms & Conditions

July, 18, 2026

Contact

Tech Business News
Melbourne, Australia
Werribee 3030
Phone: +61 431401041

Hours : Monday to Friday, 9am 530-pm.

Tech News

© Copyright Tech Business News 

Latest Australian Tech News – 2026

Welcome Back!

Sign in to your account

Username or Email Address
Password

Lost your password?