{
	"id": "d53a4f45-9666-4da5-92a9-bb74040c1bb9",
	"created_at": "2026-04-06T00:22:05.244969Z",
	"updated_at": "2026-04-10T13:13:00.045324Z",
	"deleted_at": null,
	"sha1_hash": "506b74722d17b3294bd08da66149caefe3cf2329",
	"title": "IsaacWiper Followed HermeticWiper Attack on Ukraine Orgs",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 35060,
	"plain_text": "IsaacWiper Followed HermeticWiper Attack on Ukraine Orgs\r\nBy Teri Robinson\r\nPublished: 2022-03-11 · Archived: 2026-04-05 20:08:48 UTC\r\nIn the hours before Russia invaded Ukraine, a destructive malware campaign used HermeticWiper to attack\r\nseveral Ukrainian organizations and, just a day after the invasion began, another wiper, dubbed IsaacWiper by\r\nESET, was pressed into service against a Ukraine government network.\r\nThe attackers were not finished, though; perhaps because they could not wipe some of the targeted machines, a\r\nWeLiveSecurity blog reported they dropped another version of IsaacWiper that included debug logs.\r\n“With regard to IsaacWiper, we are currently assessing its links, if any, with HermeticWiper,” said ESET head of\r\nthreat research Jean-Ian Boutin. “It is important to note that it was seen in a Ukrainian governmental organization\r\nthat was not affected by HermeticWiper.”\r\nThe initial wiper attack leveraged HermeticWiper to wipe data, HermeticWizard to spread through the local\r\nnetwork and HermeticRansom as decoy ransomware.\r\nThe malware artifacts examined seemed to suggest the attacks, which the researchers have not been able to\r\nattribute to a particular actor, likely had been planned for several months. “This is based on several facts: The\r\nHermeticWiper PE compilation timestamps, the oldest being December 28, 2021; the code-signing certificate\r\nissue date of April 13, 2021 and the deployment of HermeticWiper through the default domain policy in at least\r\none instance, suggesting the attackers had prior access to one of that victim’s Active Directory servers,” Boutin\r\nsaid.\r\nThe HermeticWiper overwrites its own file with random bytes to wipe itself from disk in what researchers feel is\r\nan attempt to prevent the wiper from being analyzed. The wiper is spread via a custom worm that ESET calls\r\nHermeticWizard, they wrote.\r\nOrganizations can expect even more attacks and with greater frequency. “Information warfare, which we refer to\r\nas cyberwarfare, is a major component of the Russian doctrine. This explains why, whenever there is a conflict\r\nrelated to Russia, you should expect to see force being applied on the cyber domain as well to create\r\ndisorientation, lack of trust and fear,” said Mitiga co-founder and CEO Ariel Parnes, former head of the Cyber\r\nDepartment for the Israeli Intelligence Service. “Russia has significant offensive cybersecurity capabilities,\r\nincluding institutional and criminal elements.”\r\nWhile “the increase in operations will result in smaller-scale impacts as targeting is rushed … for those affected, it\r\nwon’t be smaller,” said Parnes. “Companies should therefore be ready to increase their ability to detect, patch and\r\nremediate against an increase in zero-day vulnerabilities.”\r\nBut deploying new defensive cybersecurity capabilities may not be enough to quickly or fully protect\r\norganizations. “There is only so much you can do now to prevent a cyberattack in the immediate future,\r\nhttps://securityboulevard.com/2022/03/isaacwiper-followed-hermeticwiper-attack-on-ukraine-orgs/\r\nPage 1 of 2\n\nparticularly if you are targeted by Russia or a state-sponsored attacker,” said Parnes. “There is a good chance that\r\nyour organization was already attacked, and they have a backdoor to your network.”\r\nUnder Russia’s doctrine, it has already “conducted cyber operations for quite a while, silently preparing the access\r\nneeded so they can choose which one to activate and when, by deleting or encrypting data, conducting a\r\ndistributed denial-of-service attack, or carrying out another attack that will impact business operations,” said\r\nParnes.\r\nOrganizations should strive to bolster resilience. “Increasingly, geopolitical events have global impact,\r\nhighlighting the importance of focusing on resilience so that organizations are ready, prepared to recover rapidly\r\nand resilient if they get caught up in a wave of state-sponsored cyberattacks,” said Parnes.\r\nRecent Articles By Author\r\nSource: https://securityboulevard.com/2022/03/isaacwiper-followed-hermeticwiper-attack-on-ukraine-orgs/\r\nhttps://securityboulevard.com/2022/03/isaacwiper-followed-hermeticwiper-attack-on-ukraine-orgs/\r\nPage 2 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://securityboulevard.com/2022/03/isaacwiper-followed-hermeticwiper-attack-on-ukraine-orgs/"
	],
	"report_names": [
		"isaacwiper-followed-hermeticwiper-attack-on-ukraine-orgs"
	],
	"threat_actors": [],
	"ts_created_at": 1775434925,
	"ts_updated_at": 1775826780,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/506b74722d17b3294bd08da66149caefe3cf2329.pdf",
		"text": "https://archive.orkl.eu/506b74722d17b3294bd08da66149caefe3cf2329.txt",
		"img": "https://archive.orkl.eu/506b74722d17b3294bd08da66149caefe3cf2329.jpg"
	}
}