Cybersecurity researchers from the Microsoft Threat Intelligence Center noted that companies in Ukraine and Poland were hit by two separate attacks: one using the HermeticWiper disk wiper and the other using Prestige ransomware.
Despite using similar deployment methods, the campaign differs from the recent devastating attacks that have hit numerous critical infrastructure organizations in Ukraine over the past two weeks,” the researchers explained.
In some cases, the target companies overlap, but Microsoft researchers are not yet convinced that the same threat actor is behind it all.
For now, Microsoft is tracking the DEV-0960 group, a common designation for threat actors whose identities have not yet been revealed.
There is circumstantial evidence that the attackers are linked to the Kremlin, however, since HermeticWiper was first spotted the day before the invasion of Ukraine and – against Ukrainian organizations.
The researchers do not know how the attackers managed to compromise the target networks or whether there was any malware. But they do know that they used two remote execution tools (RemoteExec and Impacket WMIexec) to control the compromised endpoints.
The threat landscape in Ukraine continues to evolve, and the unchanging theme continues to be scourgeware and destructive attacks,” Microsoft said further in a statement. Ransomware and wiper attacks exploit the same security weaknesses to succeed.”