therecord.media
Open in
urlscan Pro
2606:4700::6812:621
Public Scan
URL:
https://therecord.media/second-data-wiper-attack-hits-ukraine-computer-networks/
Submission: On February 23 via api from US — Scanned from DE
Submission: On February 23 via api from US — Scanned from DE
Form analysis 4 forms found in the DOM
GET https://therecord.media/
<form role="search" method="get" class="search-form" action="https://therecord.media/">
<input type="text" placeholder="Search" value="" name="s">
<input type="submit" value="go">
</form><form class="search-form">
<a href="#">
<i class="fas fa-search search-icon"></i>
<i class="fas fa-times close-icon"></i>
</a>
</form>GET https://therecord.media/
<form role="search" method="get" class="search-form" action="https://therecord.media/">
<input type="text" placeholder="Search" value="" name="s">
<input type="submit" value="go">
</form>POST
<form action="" method="post" class="newsletterForm">
<input type="email" name="email" placeholder="your e-mail address">
<input type="hidden" name="newSubscription" value="1">
<input type="submit" value="go">
</form>Text Content
Manage consent We use cookies to optimize our website and our service. Cookie Policy Functional Marketing Accept allDismissPreferences This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy. Accept * Leadership * Cybercrime * Nation-state * Government * People * Technology * About * Contact * Podcast * SUBSCRIBE TO THE RECORD Subscribe Image: The Record Catalin Cimpanu February 23, 2022 SECOND DATA WIPER ATTACK HITS UKRAINE COMPUTER NETWORKS Malware Nation-state News * * * * * Catalin Cimpanu February 23, 2022 * Malware * Nation-state * News * * * * * SECOND DATA WIPER ATTACK HITS UKRAINE COMPUTER NETWORKS Two cybersecurity firms with a strong business presence in Ukraine—ESET and Broadcom’s Symantec—have reported tonight that computer networks in the country have been hit with a new data-wiping attack. The attack is taking place as Russian military troops have crossed the border and invaded Ukraine’s territory in what Russian President Putin has described as a “peacekeeping” mission. Details about the attack are still being collected, and the attack is still going on. It’s scale and the number of impacted systems is still unknown. Today’s event marks the second time this year that a data wiper was deployed on Ukrainian computer systems after a first attack took place in mid-January. The deployment of that first malware (named WhisperGate) was hidden under the guise of a fake ransomware outbreak and during a series of coordinated defacements of Ukrainian government websites. Similarly, today’s data-wiping attacks were also accompanied by a series of distributed denial of service (DDoS) attacks against government websites, in a similar attempt to distract government IT workers and the public’s attention. MALWARE CORRUPTS DATA, REWRITES THE MBR At the time of writing, Ukrainian government officials have not confirmed or released any details about the ongoing attack. However, according to a technical analysis of the malware, which ESET said it was tracking as KillDisk.NCV, the wiper is sometimes deployed via Windows group policies, suggesting the attackers may have full control of some of their target’s internal networks. Once deployed, the wiper runs a version of the EaseUS Partition Master software, a disk partitioning utility, which it uses to corrupt local data and then reboot the computer. According to Silas Cutler, a security researcher for Stairwell, KillDisk.NCV doesn’t just destroy local data, but it also damages the master boot record (MBR) section of a hard drive, which prevents the computer from booting into the operating system after the forced reboot—behavior identical with the WhisperGate wiper attack from last month. ESET said today’s attack was first seen starting with 16:52, Ukraine time. According to security researcher MalwareHunterTeam, the malware appears to have been compiled just five hours before it was deployed in the wild. This is a developing story. Updates will follow throughout the day. * * * * * Tags * APT * data wiper * KillDisk.NCV * malware * MBR * nation-state * Russia * Ukraine * WhisperGate Catalin Cimpanu is a cybersecurity reporter for The Record. He previously worked at ZDNet and Bleeping Computer, where he became a well-known name in the industry for his constant scoops on new vulnerabilities, cyberattacks, and law enforcement actions against hackers. Previous article Next article DoJ announces new strategy for countering nation-state threats Darktrace acquires attack surface management firm Cybersprint for $54 million BRIEFS * Darktrace acquires attack surface management firm Cybersprint for $54 million February 23, 2022 * Some Cisco firewalls may not receive security feed updates after March 5 February 23, 2022 * Another set of malicious npm packages caught stealing Discord tokens, environment variables February 22, 2022 * Colonial Pipeline hires former Equifax cyber executive as CISO February 22, 2022 * Unpatched bug allows takeover of Horde webmail accounts, servers February 22, 2022 * New Zealand warns of digital collateral damage from Russia-Ukraine crisis February 18, 2022 * CISA creates new online resource hub February 18, 2022 * Nigerian police arrest 29 in online fraud crackdown February 17, 2022 RANSOMWARE TRACKER: THE LATEST FIGURES [FEBRUARY 2022] Ransomware tracker: the latest figures [February 2022] * * * * * About Us * Privacy Policy © Copyright 2022 | The Record by Recorded Future