Cyber warfare: a retrospective analysis of one of the most dangerous viruses of the moment, the HermeticWiper
In recent years, we have seen the implementation of several initiatives launched by France as part of its national cybersecurity strategy with two overarching objectives:
- Addressing the threats inherent in the digital transition of society and the economy (e.g. the France Relance programme)
- Develop French cybersecurity champions (e.g. the Cyber Campus)
Indeed, cybersecurity is no longer an additional layer that we add at the end of a project or that we analyse from time to time, it has become an inherent part of any contact with the digital world. Regardless of age, profession or the way we interact with technology, the subject concerns us all.
Raising awareness among businesses and individuals about the impact of attacks and good security practices is still a big challenge today, and unfortunately this awareness is too often acquired after having suffered the consequences of a real attack.
In the context of the recent events between Ukraine and Russia, our teams were interested in the cyber warfare suffered by Ukraine in recent days. Indeed, due to the phenomenal expansion of digital technology in recent years, Ukraine is, like many countries, highly dependent on its computerised structures.
Shortly before the Russian invasion of Ukraine, Ukraine experienced a wave of cyber attacks aimed at paralysing the country. Amongst all the attacks revealed, a computer virus emerged. This virus is called "HermeticWiper", and it is particularly dangerous. Indeed, it uses techniques that hijack the various protection mechanisms in order to infect its host.
As a cybersecurity and IS performance consultancy, our teams look at how it works, the risks it entails and the best practices for protecting against this type of attack.
First of all, it is important to remember that, despite the danger of this virus, a sine qua non condition for this virus to infect a system is the presence of a security flaw. As a reminder, a flaw can be human (an obvious human flaw technique is phishing, or more generally social engineering) as well as software (web server misconfiguration, use of obsolete components, etc.).
Let's start by understanding the etymology of this malware. HermeticWiper is composed of two words:
- The name "Hermetic" comes from the company Hermetica Digital Ltd, whose previously stolen certificate was used to sign the software. Thanks to this certificate, HermeticWiper is identified by the various antivirus programs as official software issued by the aforementioned company. This amounts to an authorisation for HermeticWiper to be deployed on the victim system and thus cause the irreversible damage that we will detail. When an application is signed by a recognised authority, it means that this authority guarantees the origin and proper functioning of this application. Despite its dangerous nature, HermeticWiper is guaranteed by Hermetica Digital Ltd as safe software that can be run on the system in complete safety.
- "Wiper" indicates the category of virus to which HermeticWiper belongs. The main purpose of this family of malware is to erase the data contained on the hard disks of infected hardware.
Furthermore, HermeticWiper is what we call a dormant virus. To be more precise, it acts very slowly in order to gain discretion. Finally, to make matters worse, this Wiper is notable for its ability to bypass Windows security features and gain write access to many low-level data structures on the disk.
In order to erase the contents of the hard disk, HermeticWiper starts by cutting up the individual files into small blocks or partitions. However, this technique alone is not completely irreversible. Indeed, some forensic experts are able to reconstruct files from the residues generated after partitioning. It should be noted, however, that the result is not guaranteed, that the time required to reconstitute a file is long and finally that only a handful of experts are currently capable of such a technical feat.
Because of its potential reversibility, the developers of HermeticWiper have resorted to an additional, age-old technique of overwriting partitioned data with random bit sequences to make the deleted data unrecoverable.
The following tweet illustrates HermeticWiper's logical process in a simplified way:
Here is a summary of the HermeticWiper execution logic:
- First, it makes contact with the system through a security hole.
- Then it downloads the active load.
- Thanks to its official certificate, it runs without blocking on the Windows system
- It looks for a scenario to gain privilege and obtains enough rights to write to the entire disk.
- It then identifies the various files on the system.
- It starts by corrupting user data.
- Then comes the turn of the system functions.
- Finally, it reboots the machine, effectively ending its life.
It is important to note that this process is slow. As mentioned earlier, HermeticWiper is a dormant virus. In order to escape the various control mechanisms, each step is slow and unobtrusive. If you notice corrupted files, it is not too late to save the system by investigating and removing this threat.
Many research teams are trying to uncover the mysteries of this virus. The most common technique in computer virus research is to identify the structure of the virus. Indeed, just as in molecular chemistry, understanding the structure of a computer virus makes it possible to isolate dangerous behaviour. Once the sequences have been identified, the data collected can be used to enrich the viral base of the various antiviruses in order to teach them to defend themselves in the event of an attack. This follows the same pattern as for the vaccine creation process.
Finally, the French research team 'Cyber-detect' succeeded in isolating the structure of HermeticWiper and published their work on 28 February:
However, there are many variants of this virus, and unfortunately, no stable solution has been provided to date to guarantee total protection against the threat posed by HermeticWiper. The best defence is, as always, to educate your employees about IT hygiene, to monitor strange IS behaviour (such as file corruption), to keep up to date with cyber news, and of course to make regular backups of critical data!
Authors: Florian Hoff and Raquel Garcia Frutos