-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
                         AUSCERT Security Bulletin

                               ASB-2022.0059
              IoC Resource on cyber attack on Ukraine 2022-02
                             25 February 2022

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:    Ukraine
Resolution: None

OVERVIEW

        Compilation of links that have IoC of tools and techniques 
        reportedly used in cyber attacks against Ukraine.


IMPACT

        Cyber activity around the topic of events in Ukraine may be 
        generating IOCs that are of interest in protecting networks. The 
        following is a non-exhaustive list of links that may be of interest.
        
         o Reports
           - Destructive malware targeting Ukrainian organizations [1]
           - FLASH NOTICE: [NEW MALWARE] - CISA WARNS OF RENEWED 
             RUSSIAN THREAT AS NEW ACTIVITY IS SEEN IN UKRAINE [2]
           - Ukraine: Disk-wiping Attacks Precede Russian Invasion [3]
           - HermeticWiper | New Destructive Malware Used In Cyber 
             Attacks on Ukraine [4]
           - Russia-Ukraine Crisis: How to Protect Against the Cyber
             Impact [5]
        
         o Analysis
           - Ukraine: Analysis Of The New Disk-Wiping Malware
             (HermeticWiper)[6]
           - Threat Advisory: Hermetic Wiper[7]
        
         o Samples
           - Virustotal sample on Hermetica Wiper [8]
           - Tom Hegel about Hermetica Wiper samples [9]
           - Thomas Roccia about Hermetica Wiper samples [10]
           - Malware bazzar Hermetica Wiper [11]
        
         o Shuckworm
           - Shuckworm Continues Cyber-Espionage Attacks Against 
             Ukraine [12]
           - Symantec finds evidence of continued Russian hacking 
             campaigns in Ukraine [13]
           - Technical report Armagedon (Google Cached) [14]
        
         o Yara Rules
           - StrangeRealThreats Orion WIP_Unk_Ukr_Feb_2022_1 Yara 
             Rule [15]
           - Reversinglabs HermeticWiper Yara Rule [16]


MITIGATION

        It is advised to follow some advisory steps from the following
        source(s).
          - Russia-Ukraine Crisis: How to Protect Against the Cyber 
            Impact[5]
          - 2022-02: Australian organisations should urgently adopt an 
            enhanced cyber security posture [21]
        
        Deploy yara rules
          - StrangeRealThreats Orion WIP_Unk_Ukr_Feb_2022_1 Yara 
            Rule [15]
          - Reversinglabs HermeticWiper Yara Rule [16]
        
        For AusCERT Members the following MISP events contain IoCs of
        interest.
        
         AusMISP
          Event 14001 [17]
          Event 14004 [18]
        
         CAUDIT MISP
          Event 15863 [19]
          Event 15866 [20]


REFERENCES

        [1] Destructive malware targeting Ukrainian organizations
            https://www.microsoft.com/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations/

        [2] FLASH NOTICE: [NEW MALWARE] - CISA WARNS OF RENEWED RUSSIAN THREAT
            AS NEW ACTIVITY IS SEEN IN UKRAINE
            https://www.avertium.com/blog/cisa-warns-of-renewed-russian-threat-new-activity-seen-in-ukraine

        [3] Ukraine: Disk-wiping Attacks Precede Russian Invasion
            https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ukraine-wiper-malware-russia

        [4] HermeticWiper | New Destructive Malware Used In Cyber Attacks on
            Ukraine
            https://www.sentinelone.com/labs/hermetic-wiper-ukraine-under-attack/

        [5] Russia-Ukraine Crisis: How to Protect Against the Cyber Impact
            https://unit42.paloaltonetworks.com/preparing-for-cyber-impact-russia-ukraine-crisis/

        [6] Ukraine: Analysis Of The New Disk-Wiping Malware (HermeticWiper)
            https://cluster25.io/2022/02/24/ukraine-analysis-of-the-new-disk-wiping-malware/

        [7] Threat Advisory: HermeticWiper
            https://blog.talosintelligence.com/2022/02/threat-advisory-hermeticwiper.html

        [8] Virustotal sample on HermeticaWiper
            https://www.virustotal.com/gui/file/3c557727953a8f6b4788984464fb77741b821991acbf5e746aebdd02615b1767/details

        [9] Tom Hegel about HermeticaWiper samples
            https://twitter.com/TomHegel/status/1496923224516538376

        [10] Thomas Roccia
             https://twitter.com/fr0gger_/status/1496968238013759492?cxt=HHwWiIDSrcyrpsYpAAAA

        [11] Malware bazzar Hermetica Wiper
             https://bazaar.abuse.ch/browse/tag/Hermetica%20Digital%20Ltd/

        [12] Shuckworm Continues Cyber-Espionage Attacks Against Ukraine
             https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/shuckworm-gamaredon-espionage-ukraine

        [13] Symantec finds evidence of continued Russian hacking campaigns in
             Ukraine
             https://www.techrepublic.com/article/kaspersky-finds-evidence-of-continued-russian-hacking-campaigns-in-ukraine/

        [14] Technical report Armagedon (Google Cached)
             https://webcache.googleusercontent.com/search?q=cache:PYzLAtDeouIJ:https://ssu.gov.ua/uploads/files/DKIB/Technical%2520report%2520Armagedon.pdf+&cd=1&hl=en&ct=clnk&gl=au

        [15] StrangeRealThreats Orion WIP_Unk_Ukr_Feb_2022_1 Yara Rule
             https://github.com/StrangerealIntel/Orion/blob/main/Wipers/WIP_Unk_Ukr_Feb_2022_1.yara

        [16] Reversinglabs HermeticWiper Yara Rule
             https://github.com/reversinglabs/reversinglabs-yara-rules/blob/develop/yara/trojan/Win32.Trojan.HermeticWiper.yara

        [17] AusMISP Event 14001
             https://misp.auscert.org.au/events/view/14001

        [18] AusMISP Event 14004
             https://misp.auscert.org.au/events/view/14004

        [19] CAUDIT MISP Event 15863
             https://misp-c.auscert.org.au/events/view/15863

        [20] CAUDIT MISP Event 15866
             https://misp-c.auscert.org.au/events/view/15866 

        [21] 2022-02: Australian organisations should urgently adopt an
             enhanced cyber security posture
             https://www.cyber.gov.au/acsc/view-all-content/advisories/2022-02-australian-organisations-should-urgently-adopt-enhanced-cyber-security-posture

AusCERT has made every effort to ensure that the information contained
in this document is accurate.  However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours 
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBYhiJheNLKJtyKPYoAQibUxAAqj8jMwciYGtG14hupHUosjdKn8cnySPW
/3umxaliAARr4Y8J3/gokHCZ3G6bV5fh+4EWi3mmMw/fzEPGgO2VIzf4uNuE7xkT
mUiHPM19L3zZvBXKUDw4c2vFrgn2K5PpyJxbiXiJ5LgICdY4qLBM1Nfig/4UKCbC
TcX33RlzkmOHUTa03UPIhYPVa59yKTX8+q685APkO58a3/i/akNE+Isn8lBWPc47
mgb2NpFKwaPX+/y/beZaMIWTCyhxDdD9f05X7ObQFNRGpJIgeZxF9MXjy1FHrwDM
0Zplg/VdHMvupErJ8ccAU0g28Lpip5hgZ8KqS1JvV96CZlOWVhzXxsuwFd1+1HWx
TFHNtPC4Bdho3K3fPVambf0p5bW4v6NAKVCPDQYWpzGTSn+4W6igflMcDFPLNq+9
/NLb5vD7XXaILBdXaCCWJYD8w2r0njJvG6TmWdsS7/A4vMnA6hNdVUOfLegmigLn
7fRBYpUJBRNuHcnOe4DwvhQVFptYxnX3pSwDG6S2nPWDDxz1S/5jEkA/bH55tvZl
L8zK1rV+Xo7W4C9vNC1HCrPqhcwBiaRwVgsI6MZKO1paIBYqblS5YcHxxXSV+FnE
DyiBPo3BVzCohi3RuT2cXF25VTHgJDZKarCz6/l0BzMQG1XWny2ZD0c/nrfliby1
g5RoijjLScE=
=n1kJ
-----END PGP SIGNATURE-----