Cybersecurity researchers from Microsoft Threat Intelligence Center (MSTIC) have noted companies across Ukraine and Poland being hit by two separate attacks: in one, a disk wiper called HermeticWiper was deployed, while in the other, a ransomware called Prestige.
“Despite using similar deployment techniques, the [Prestige] campaign is distinct from recent destructive attacks leveraging […] Foxblade (HermeticWiper) that have impacted multiple critical infrastructure organizations in Ukraine over the last two weeks,” the researchers explained.
“MSTIC has not yet linked this ransomware (opens in new tab) campaign to a known threat group and is continuing investigations.”
Links to Russia
In some cases, the victim companies are overlapping, but Microsoft’s researchers are not yet convinced all of this is the work of the same threat actor.
For the time being, Microsoft is tracking the group(s) as DEV-0960, the usual label for threat actors yet to have their identities revealed.
There is tangential evidence of the attackers having connections to the Kremlin, though, as HermeticWiper was first observed in the wild a day before the invasion of Ukraine and – against Ukrainian entities.
The researchers don’t really know how the attackers managed to compromise the target networks, and whether or not any malware was included. What they do know is that they used two remote-execution tools (RemoteExec and Impacket WMIexec) to control the compromised endpoints.
“The threat landscape in Ukraine continues to evolve, and wipers and destructive attacks have been a consistent theme,” Microsoft further said. “Ransomware and wiper attacks rely on many of the same security weaknesses to succeed.”
Via: The Register (opens in new tab)