Published:
25 February 2022
Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT Security Bulletin ASB-2022.0059 IoC Resource on cyber attack on Ukraine 2022-02 25 February 2022 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Ukraine Resolution: None OVERVIEW Compilation of links that have IoC of tools and techniques reportedly used in cyber attacks against Ukraine. IMPACT Cyber activity around the topic of events in Ukraine may be generating IOCs that are of interest in protecting networks. The following is a non-exhaustive list of links that may be of interest. o Reports - Destructive malware targeting Ukrainian organizations [1] - FLASH NOTICE: [NEW MALWARE] - CISA WARNS OF RENEWED RUSSIAN THREAT AS NEW ACTIVITY IS SEEN IN UKRAINE [2] - Ukraine: Disk-wiping Attacks Precede Russian Invasion [3] - HermeticWiper | New Destructive Malware Used In Cyber Attacks on Ukraine [4] - Russia-Ukraine Crisis: How to Protect Against the Cyber Impact [5] o Analysis - Ukraine: Analysis Of The New Disk-Wiping Malware (HermeticWiper)[6] - Threat Advisory: Hermetic Wiper[7] o Samples - Virustotal sample on Hermetica Wiper [8] - Tom Hegel about Hermetica Wiper samples [9] - Thomas Roccia about Hermetica Wiper samples [10] - Malware bazzar Hermetica Wiper [11] o Shuckworm - Shuckworm Continues Cyber-Espionage Attacks Against Ukraine [12] - Symantec finds evidence of continued Russian hacking campaigns in Ukraine [13] - Technical report Armagedon (Google Cached) [14] o Yara Rules - StrangeRealThreats Orion WIP_Unk_Ukr_Feb_2022_1 Yara Rule [15] - Reversinglabs HermeticWiper Yara Rule [16] MITIGATION It is advised to follow some advisory steps from the following source(s). - Russia-Ukraine Crisis: How to Protect Against the Cyber Impact[5] - 2022-02: Australian organisations should urgently adopt an enhanced cyber security posture [21] Deploy yara rules - StrangeRealThreats Orion WIP_Unk_Ukr_Feb_2022_1 Yara Rule [15] - Reversinglabs HermeticWiper Yara Rule [16] For AusCERT Members the following MISP events contain IoCs of interest. AusMISP Event 14001 [17] Event 14004 [18] CAUDIT MISP Event 15863 [19] Event 15866 [20] REFERENCES [1] Destructive malware targeting Ukrainian organizations https://www.microsoft.com/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations/ [2] FLASH NOTICE: [NEW MALWARE] - CISA WARNS OF RENEWED RUSSIAN THREAT AS NEW ACTIVITY IS SEEN IN UKRAINE https://www.avertium.com/blog/cisa-warns-of-renewed-russian-threat-new-activity-seen-in-ukraine [3] Ukraine: Disk-wiping Attacks Precede Russian Invasion https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ukraine-wiper-malware-russia [4] HermeticWiper | New Destructive Malware Used In Cyber Attacks on Ukraine https://www.sentinelone.com/labs/hermetic-wiper-ukraine-under-attack/ [5] Russia-Ukraine Crisis: How to Protect Against the Cyber Impact https://unit42.paloaltonetworks.com/preparing-for-cyber-impact-russia-ukraine-crisis/ [6] Ukraine: Analysis Of The New Disk-Wiping Malware (HermeticWiper) https://cluster25.io/2022/02/24/ukraine-analysis-of-the-new-disk-wiping-malware/ [7] Threat Advisory: HermeticWiper https://blog.talosintelligence.com/2022/02/threat-advisory-hermeticwiper.html [8] Virustotal sample on HermeticaWiper https://www.virustotal.com/gui/file/3c557727953a8f6b4788984464fb77741b821991acbf5e746aebdd02615b1767/details [9] Tom Hegel about HermeticaWiper samples https://twitter.com/TomHegel/status/1496923224516538376 [10] Thomas Roccia https://twitter.com/fr0gger_/status/1496968238013759492?cxt=HHwWiIDSrcyrpsYpAAAA [11] Malware bazzar Hermetica Wiper https://bazaar.abuse.ch/browse/tag/Hermetica%20Digital%20Ltd/ [12] Shuckworm Continues Cyber-Espionage Attacks Against Ukraine https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/shuckworm-gamaredon-espionage-ukraine [13] Symantec finds evidence of continued Russian hacking campaigns in Ukraine https://www.techrepublic.com/article/kaspersky-finds-evidence-of-continued-russian-hacking-campaigns-in-ukraine/ [14] Technical report Armagedon (Google Cached) https://webcache.googleusercontent.com/search?q=cache:PYzLAtDeouIJ:https://ssu.gov.ua/uploads/files/DKIB/Technical%2520report%2520Armagedon.pdf+&cd=1&hl=en&ct=clnk&gl=au [15] StrangeRealThreats Orion WIP_Unk_Ukr_Feb_2022_1 Yara Rule https://github.com/StrangerealIntel/Orion/blob/main/Wipers/WIP_Unk_Ukr_Feb_2022_1.yara [16] Reversinglabs HermeticWiper Yara Rule https://github.com/reversinglabs/reversinglabs-yara-rules/blob/develop/yara/trojan/Win32.Trojan.HermeticWiper.yara [17] AusMISP Event 14001 https://misp.auscert.org.au/events/view/14001 [18] AusMISP Event 14004 https://misp.auscert.org.au/events/view/14004 [19] CAUDIT MISP Event 15863 https://misp-c.auscert.org.au/events/view/15863 [20] CAUDIT MISP Event 15866 https://misp-c.auscert.org.au/events/view/15866 [21] 2022-02: Australian organisations should urgently adopt an enhanced cyber security posture https://www.cyber.gov.au/acsc/view-all-content/advisories/2022-02-australian-organisations-should-urgently-adopt-enhanced-cyber-security-posture AusCERT has made every effort to ensure that the information contained in this document is accurate. However, the decision to use the information described is the responsibility of each user or organisation. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBYhiJheNLKJtyKPYoAQibUxAAqj8jMwciYGtG14hupHUosjdKn8cnySPW /3umxaliAARr4Y8J3/gokHCZ3G6bV5fh+4EWi3mmMw/fzEPGgO2VIzf4uNuE7xkT mUiHPM19L3zZvBXKUDw4c2vFrgn2K5PpyJxbiXiJ5LgICdY4qLBM1Nfig/4UKCbC TcX33RlzkmOHUTa03UPIhYPVa59yKTX8+q685APkO58a3/i/akNE+Isn8lBWPc47 mgb2NpFKwaPX+/y/beZaMIWTCyhxDdD9f05X7ObQFNRGpJIgeZxF9MXjy1FHrwDM 0Zplg/VdHMvupErJ8ccAU0g28Lpip5hgZ8KqS1JvV96CZlOWVhzXxsuwFd1+1HWx TFHNtPC4Bdho3K3fPVambf0p5bW4v6NAKVCPDQYWpzGTSn+4W6igflMcDFPLNq+9 /NLb5vD7XXaILBdXaCCWJYD8w2r0njJvG6TmWdsS7/A4vMnA6hNdVUOfLegmigLn 7fRBYpUJBRNuHcnOe4DwvhQVFptYxnX3pSwDG6S2nPWDDxz1S/5jEkA/bH55tvZl L8zK1rV+Xo7W4C9vNC1HCrPqhcwBiaRwVgsI6MZKO1paIBYqblS5YcHxxXSV+FnE DyiBPo3BVzCohi3RuT2cXF25VTHgJDZKarCz6/l0BzMQG1XWny2ZD0c/nrfliby1 g5RoijjLScE= =n1kJ -----END PGP SIGNATURE-----