Home/Threat Actor/HermeticWiper
Threat Actor

HermeticWiper

hermeticwiper · russia_apt_sandworm_adjacent · active since 2021-12-28

HermeticWiper (canonical ESET + SentinelOne + Symantec joint February 23, 2022 first-day disclosure naming derived from Cypriot Hermetica Digital Ltd code-signing certificate per ESET.

Microsoft alternative naming FoxBlade per ESET "A year of wiper attacks in Ukraine" retrospective.

cluster-defining destructive disk wiper with companion HermeticWizard custom worm + HermeticRansom/ PartyTicket Golang decoy ransomware) is a destructive disk wiper deployed February 23, 2022, the second wiper of the 2022 Ukraine wartime wiper cluster + cluster-defining invasion-eve cyber-kinetic-coordination attack (T-1 day before Russia's February 24, 2022 invasion of Ukraine)

Russian state-sponsored APT attribution to Sandworm (Russian GRU Unit 74455, also Mandiant APT44 / Microsoft Seashell Blizzard / Dragos ELECTRUM, curated separately as sandworm_team parent operator) per ESET canonical February 24, 2023 compilation by Anton Cherepanov + Robert Lipovsky: "We were able to attribute the majority of these attacks to Sandworm, with varying degrees of confidence".

standalone malware platform cluster paralleling whispergate + caddywiper in Ukraine 2022 wartime wiper cell.

operational attack architecture with ~2-month development pre-positioning (per ESET timestamps from December 28, 2021), Active Directory GPO mass deployment via default domain policy indicating Active Directory server takeover, deployment across hundreds of systems in at least 5 Ukrainian organizations + neighbor countries Latvia + Lithuania with finance sector + government contractor targeting per Symantec.

cluster-defining EaseUS Partition Master signed-driver abuse tradecraft using legitimate empntdrv.sys (EPMNTDRV) partition management driver for direct userland filesystem access, same technique used by Lazarus Group's Destover + APT33 Shamoon with Eldos Rawdisk (lineage cluster-cell coherence with prior nation-state wiper tradecraft); 114KB binary sample with ~70% composed of ms-compressed EaseUS Partition Master driver resources for multiple OS versions/bitness + SysWow64 redirection.

signed with Cypriot Hermetica Digital Ltd code-signing certificate (DigiCert EV Code Signing CA issuer per SentinelLabs YARA rule), per ZeroFox Brian Kime "the certification might have been designed to help the malware dodge antivirus protections... but a sign of a 'sophisticated and targeted' operator"; multi-component campaign architecture comprising HermeticWiper signed-driver destructive wiper + HermeticWizard custom worm for LAN propagation + HermeticRansom (PartyTicket per SentinelLabs naming) Golang decoy ransomware (counterintuitive use as deception layer, per SentinelOne: "very loud and ineffective ransomware that should fire alerts left and right", anti-US sentiment in code per SentinelLabs analysis of folder organization + function naming); anti-forensics tradecraft modifying registry SYSTEM\ CurrentControlSet\Control\CrashControl CrashDumpEnabled key to zero (disabling crash dumps), iterating PhysicalDrive enumeration for MBR + content destruction, finally initiating system shutdown via sleeping threads pattern.

adjacent same-week Sandworm wiper operations including IsaacWiper deployed February 24, 2022 against Ukrainian governmental network (per ESET March 1, 2022 disclosure "IsaacWiper + HermeticWizard: wiper + worm targeting Ukraine") + AcidRain February 24, 2022 ViaSat KA-SAT satellite modem wiper disrupting Ukrainian + European satellite communications (US/UK/EU joint Russia GRU attribution); additional Hermetic campaigns March 10, 2022 + March 17, 2022 + March 24, 2022 + HermeticWiper x64 variant October 5, 2022.

CISA + FBI joint advisory February 28, 2022 warning of WhisperGate + HermeticWiper destructive malware spreading.

CERT-UA + ESET + SentinelOne + Symantec + Stairwell + RedCanary joint industry threat-intelligence response demonstrated cross-vendor coordination capability.

cluster fills invasion-eve wiper position in 2022 Ukraine wartime wiper chronology: WhisperGate January 2022 - HermeticWiper February 23, 2022 - IsaacWiper February 24, 2022 - CaddyWiper March 14, 2022 - Industroyer2 April 8, 2022.

canonical illustration of EaseUS Partition Master signed-driver-abuse tradecraft from Shamoon + Destover lineage cited in essentially all subsequent 2022+ Ukraine wiper + signed-driver- abuse wiper industry analyses through 2022-2026 period.

russia_apt_sandworm_adjacent confidence: high 14 aliases
Sigma rules202 YARA rules3 Live IOCs0 CVEs exploited0

Profile

HermeticWiper (canonical ESET + SentinelOne + Symantec joint February 23, 2022 first-day disclosure naming derived from Cypriot Hermetica Digital Ltd code-signing certificate per ESET.

Microsoft alternative naming FoxBlade per ESET A year of wiper attacks in Ukraine retrospective) is a destructive disk wiper deployed February 23, 2022, the second wiper of the 2022 Ukraine wartime wiper cluster + cluster-defining invasion-eve cyber-kinetic-coordination attack (one day before Russia's February 24, 2022 invasion of Ukraine). Russian state-sponsored APT attribution to Sandworm (Russian GRU Unit 74455, also Mandiant APT44 / Microsoft Seashell Blizzard / Dragos ELECTRUM, curated separately as sandworm_team parent operator) via ESET canonical February 24, 2023 "A year of wiper attacks in Ukraine" compilation by Anton Cherepanov + Robert Lipovsky: "We were able to attribute the majority of these attacks to Sandworm, with varying degrees of confidence." Standalone malware platform cluster paralleling whispergate + caddywiper in the Ukraine 2022 wartime wiper cell. Operational attack architecture: (1) ~2-month development pre-positioning: per ESET timestamps from December 28, 2021 indicating malware development began ~2 months before February 23, 2022 deployment. (2) Active Directory GPO mass deployment: HermeticWiper dropped via default (domain policy) GPO across hundreds of systems in at least 5 Ukrainian organizations, Active Directory server takeover enabled mass deployment. (3) EaseUS Partition Master signed driver abuse (cluster-defining): HermeticWiper abuses legitimate empntdrv.sys (EPMNTDRV) driver from EaseUS Partition Master software for direct userland filesystem access, same technique used by Lazarus Group's Destover + APT33 Shamoon with Eldos Rawdisk. Multiple driver versions bundled as ms-compressed resources (~70% of 114KB sample) for different OS bitness + SysWow64 redirection. (4) Hermetica Digital Ltd code-signing certificate: Cypriot firm-issued certificate used to sign HermeticWiper for execution per ESET, per ZeroFox Brian Kime: "the certification might have been designed to help the malware dodge antivirus protections, adding that faking or stealing such a certificate isn't impossible but a sign of a 'sophisticated and targeted' operator.

" (5) Multi-component campaign architecture
  • HermeticWiper: signed driver destructive wiper.
  • HermeticWizard: custom worm for HermeticWiper LAN propagation.
  • HermeticRansom (PartyTicket): Golang decoy ransomware per SentinelLabs (6) Anti-forensics + system shutdown: HermeticWiper modifies registry CrashControl CrashDumpEnabled = 0 to disable crash dumps before destruction, then iterates PhysicalDrive enumeration for MBR + content destruction, finally initiates system shutdown.
Adjacent same-week Ukrainian wiper operations
  • IsaacWiper (February 24, 2022 invasion day): deployed against Ukrainian governmental network.
  • AcidRain (February 24, 2022): ViaSat KA-SAT satellite modem wiper disrupting Ukrainian + European satellite communications Operational target profile: hundreds of machines in at least 5 Ukrainian organizations + Latvia + Lithuania; finance sector + government contractors targeted per Symantec.
Signature operational tradecraft
  • Invasion-eve timing (cluster-defining): T-1 day from kinetic invasion, signature cyber-kinetic- coordination.
  • EaseUS Partition Master signed-driver abuse (cluster-defining): empntdrv.sys / EPMNTDRV legitimate-software-abuse tradecraft from Shamoon + Destover lineage.
  • Hermetica Digital Ltd code-signing certificate (signature): stolen or fraudulent code-signing certificate for execution.
  • Active Directory GPO mass deployment (signature): default domain policy deployment for hundreds of simultaneous infections.
  • Multi-component campaign with worm + decoy ransomware (signature): HermeticWiper + HermeticWizard + HermeticRansom architecture.
  • Anti-forensics via crash dump disable (signature): registry CrashControl CrashDumpEnabled = 0.
  • 2-month development pre-positioning (signature): ~December 28, 2021 timestamps.
  • Counterintuitive decoy ransomware tradecraft (signature): PartyTicket poorly coded Go ransomware as deception layer The cluster fills the invasion-eve wiper position in 2022 Ukraine wartime wiper chronology: WhisperGate January 2022.
  • HermeticWiper February 23, 2022.
  • IsaacWiper February 24, 2022.
  • CaddyWiper March 14, 2022.
  • Industroyer2 April 8, 2022. Operationally significant cluster-defining cyber-kinetic-coordination timing + cluster-defining signed-driver-abuse tradecraft from Shamoon + Destover lineage.

Aliases

14
hermeticwiperhermetic wiperhermeticwiper_malwarefoxbladehermeticransompartytickethermeticwizardisaacwiperacidrainhermeticwiper february 23 2022 ukrainehermeticwiper invasion eve attackhermetic digital cyprus code signing certificateeaseus partition master driver abuse hermeticwiperempntdrv.sys hermeticwiper

Notable Campaigns

12
2023ESET 'A year of wiper attacks in Ukraine' Sandworm Attribution (February 24, 2023)
2022-2026Continued Industry Reference Status (2022-2026)
2022HermeticWiper Deployment (February 23, 2022)
2022ESET + Symantec + SentinelOne Canonical First-Day Disclosure (February 23, 2022)
2022HermeticRansom / PartyTicket Decoy Identification (February 24, 2022)
2022IsaacWiper Same-Week Companion Wiper (February 24, 2022)
2022AcidRain ViaSat KA-SAT Modem Wiper (February 24, 2022)
2022HermeticWizard Worm Canonical Disclosure (March 1, 2022)
2022CISA + FBI Joint Advisory (February 28, 2022)
2022Additional Hermetic Campaign (March 10, 2022 + March 17, 2022 + March 24, 2022)
2022HermeticWiper x64 Variant (October 5, 2022)
2021HermeticWiper Development (December 28, 2021)

Attribution & Reporting

Attributed by
ESET WeLiveSecurity (canonical February 23, 2022 first-day disclosure, Anton Cherepanov + Robert Lipovsky + ESET Research)ESET (canonical March 1, 2022 IsaacWiper + HermeticWizard follow-up disclosure)ESET (canonical February 24, 2023 "A year of wiper attacks in Ukraine" Sandworm attribution compilation)SentinelOne SentinelLabs (Juan-Andres Guerrero-Saade + Tom Hegel, canonical HermeticWiper + PartyTicket analysis)Symantec Threat Intelligence (Vikram Thakur, canonical February 23, 2022 parallel disclosure)Stairwell (Silas Cutler, canonical MBR damage analysis)RedCanary (canonical industry contribution)CISA Cybersecurity and Infrastructure Security Agency (February 28, 2022 joint advisory)FBI Federal Bureau of Investigation (February 28, 2022 joint advisory)Microsoft Threat Intelligence Center (FoxBlade canonical Microsoft naming)Mandiant / Google Cloud Threat Intelligence Group (APT44 Sandworm canonical tracking)CrowdStrike (Voodoo Bear canonical Sandworm tracking)ZeroFox (Brian Kime canonical industry commentary)CyberScoop (Derek B. Johnson, canonical industry reporting)Cybersecurity Dive (canonical industry compilation)CIO Dive (canonical industry compilation)CERT-UA Ukrainian Computer Emergency Response Team (canonical incident response)MITRE ATT&CK Software S0697 (HermeticWiper)
Key reporting
reportESET WeLiveSecurity (Anton Cherepanov + Robert Lipovsky): A year of wiper attacks in Ukraine (February 24, 2023), canonical 2022 Ukraine wiper compilation + Sandworm attribution
reportESET WeLiveSecurity: IsaacWiper + HermeticWizard, wiper + worm targeting Ukraine (March 1, 2022), canonical companion malware disclosure
reportSentinelOne SentinelLabs (Juan-Andres Guerrero-Saade + Tom Hegel): HermeticWiper, New Destructive Malware Used In Cyber Attacks on Ukraine (February 23, 2022 + February 28, 2022 PartyTicket update)
reportSymantec Threat Intelligence (Vikram Thakur): Canonical February 23, 2022 parallel HermeticWiper disclosure with finance + government contractor targeting in Latvia + Lithuania
reportStairwell (Silas Cutler): Canonical MBR damage analysis
reportESET Research Twitter (@ESETresearch): Real-time February 23, 2022 disclosure tweets
reportMandiant / Google Cloud Threat Intelligence Group: APT44 Sandworm canonical tracking
reportMicrosoft Threat Intelligence Center: FoxBlade canonical Microsoft naming
reportCrowdStrike: Voodoo Bear canonical Sandworm tracking
reportZeroFox (Brian Kime): Hermetica Digital Ltd certificate sophistication assessment
reportCyberScoop (Derek B. Johnson): Canonical industry reporting
reportCybersecurity Dive + CIO Dive: Canonical industry compilation
reportSilicon Republic: Canonical European industry reporting
reportCISA + FBI: Joint February 28, 2022 advisory on WhisperGate + HermeticWiper
reportCERT-UA Ukrainian Computer Emergency Response Team: canonical incident response
reportMITRE ATT&CK Software S0697: HermeticWiper
reportMITRE ATT&CK Software S1027: IsaacWiper
reportMalpedia Software Profile: HermeticWiper

Operational

State sponsor

Russian state-sponsored APT, attributed primarily to Sandworm (Russian GRU Unit 74455, also Mandiant APT44 / Microsoft Seashell Blizzard, curated separately as sandworm_team parent operator cluster). Per ESET canonical February 24, 2023 "A year of wiper attacks in Ukraine" by Anton Cherepanov + Robert Lipovsky: "We were able to attribute the majority of these attacks to Sandworm, with varying degrees of confidence." Note: ESET specifically attributes HermeticWiper to Sandworm with "varying degrees of confidence", initial February 23, 2022 disclosure did not establish formal Sandworm attribution. Attribution converged on Sandworm via subsequent ESET + Symantec + SentinelOne + Stairwell + RedCanary joint analysis through 2022 + ESET February 2023 retrospective compilation.

Attribution chain: (1) ESET canonical February 23, 2022 disclosure: ESET research team (Anton Cherepanov + Robert Lipovsky + others) tweeted hashes associated with HermeticWiper same day as deployment. ESET named the malware HermeticWiper based on Cypriot Hermetica Digital Ltd code-signing certificate. ESET telemetry showed HermeticWiper installed on hundreds of machines in Ukraine + neighbor countries Latvia + Lithuania.

(2) Symantec parallel February 23, 2022 disclosure: Symantec Threat Intelligence (Vikram Thakur) confirmed observation of HermeticWiper deployed against finance sector + government contractors. (3) SentinelOne canonical February 23, 2022 analysis: SentinelOne SentinelLabs (Juan-Andres Guerrero-Saade + Tom Hegel) published canonical "HermeticWiper | New Destructive Malware Used In Cyber Attacks on Ukraine" technical analysis identifying signed driver deployment + MBR manipulation + boot failure. SentinelOne assessed wiper "appeared to be more dangerous than the malware uncovered in January" (WhisperGate).

(4) SentinelLabs HermeticRansom / PartyTicket identification February 24, 2022: SentinelOne identified PartyTicket Golang decoy ransomware deployed alongside HermeticWiper as deception layer. Per SentinelOne analysis: "The idea of using a ransomware as a decoy for a wiper is counterintuitive. In particular, a ransomware as poorly coded as PartyTicket is more likely to tie up resources during the execution of an otherwise efficient wiper." (5) ESET HermeticWizard worm + IsaacWiper canonical March 1, 2022 follow-up: ESET published "IsaacWiper + HermeticWizard: wiper + worm targeting Ukraine" establishing HermeticWizard custom worm for HermeticWiper propagation + IsaacWiper as separate same-week (February 24, 2022) wiper deployed against Ukrainian governmental network.

(6) CISA + FBI February 28, 2022 joint advisory: US government joint advisory warning of WhisperGate + HermeticWiper destructive malware spreading. (7) ESET February 24, 2023 retrospective + Sandworm attribution: ESET "A year of wiper attacks in Ukraine" compilation established Sandworm attribution for majority of 2022 Ukraine wipers including HermeticWiper.

Operational target profile
  • Hundreds of machines in Ukraine infected per ESET telemetry (200+ systems)
  • At least 5 Ukrainian organizations affected per ESET A year of wiper attacks.
  • Latvia + Lithuania systems also affected per Symantec + ESET.
  • Finance sector + government contractors specific targets per Symantec.
  • Default domain policy GPO deployment indicating Active Directory server takeover per ESET Operational attack architecture per SentinelOne + ESET: (1) Initial compromise + Active Directory takeover: attackers compromised Ukrainian organizations weeks- to-months prior. Active Directory server compromise enabled default domain policy GPO deployment. (2) Signed driver deployment via EaseUS Partition Master abuse: HermeticWiper uses legitimate partition management driver from EaseUS Partition Master software, same technique Lazarus Group's Destover + APT33's Shamoon used with Eldos Rawdisk. Driver name empntdrv.sys (EPMNTDRV). HermeticWiper 114KB sample with ~70% composed of ms-compressed EaseUS Partition Master driver resources (multiple driver versions for different OS bitness + SysWow64 redirection). (3) Hermetica Digital Ltd code-signing certificate: Cypriot firm-issued certificate used to sign HermeticWiper for execution. Per ZeroFox Brian Kime: "the certification might have been designed to help the malware dodge antivirus protections, adding that faking or stealing such a certificate isn't impossible but a sign of a 'sophisticated and targeted' operator." (4) Multi-component campaign with HermeticWizard worm + HermeticRansom decoy: HermeticWiper + HermeticWizard worm for LAN propagation + HermeticRansom (PartyTicket) Golang decoy ransomware. (5) Anti-forensics + system shutdown: HermeticWiper modifies registry keys (including SYSTEM\CurrentControlSet\Control\CrashControl CrashDumpEnabled = 0 to disable crash dumps), waits on sleeping threads, initiates system shutdown. The cluster fills the invasion-eve wiper position in 2022 Ukraine wartime wiper chronology: WhisperGate January 2022.
  • HermeticWiper February 23, 2022.
  • IsaacWiper February 24, 2022.
  • CaddyWiper March 14, 2022.
  • Industroyer2 April 8, 2022.
Motivations
ukrainian_critical_infrastructure_disruption_during_invasion_eve_strategic_phase, second_wiper_of_2022_ukraine_wartime_wiper_cluster_capability_demonstration, signed_driver_legitimate_software_abuse_tradecraft_signature, active_directory_gpo_default_domain_policy_mass_deployment_capability, multi_component_campaign_with_worm_propagator_and_decoy_ransomware, russian_strategic_objective_ukrainian_finance_government_disruption, shamoon_destover_partition_driver_abuse_lineage_continuation
Sectors
ukrainian_finance_sectorukrainian_government_contractorsukrainian_government_organizationscritical_infrastructure_operatorsukrainian_enterprises_with_active_directory_environments
Regions
ukrainelatvialithuaniaeastern_europe

Techniques Used

60
T1003T1003.001T1005T1010T1014T1016T1018T1021T1021.001T1021.002T1021.006T1027T1027.002T1027.005T1033T1036T1036.001T1036.004T1036.005T1037T1037.003T1047T1053T1053.005T1056T1057T1059T1059.001T1059.003T1068T1070T1070.001T1070.004T1071T1078T1080T1082T1083T1087T1090T1095T1106T1119T1129T1133T1134T1140T1190T1195T1203T1210T1218T1218.011T1485T1486T1488T1489T1490T1491T1495

Detection Blind Spots

60 techniques
Across this actor’s 60 mapped techniques, the share covered by each detection layer. Low bars are where you’d be blind if this actor targeted you.
Behavioral / log (Sigma)53/60 · 88%
Analytics (MITRE CAR)30/60 · 50%
Runtime / container (Falco)6/60 · 10%
File / malware (YARA)0/60 · 0%
Network (Suricata/Snort)17/60 · 28%
Vuln scan (Nuclei)0/60 · 0%

Atomic Test Plan

30 techniques
Runnable Atomic Red Team tests covering this actor’s mapped techniques - validate your detections against this specific adversary. Cross-reference the blind spots above. For authorized lab / purple-team use. Open the full builder

Tools Used

0 mapped
Other tooling / TTPs (curation, not ATT&CK-mapped):
MASTER BOOT RECORD MBR MANIPULATIONMS COMPRESSED EASEUS DRIVER RESOURCESSHAMOON PARTITION DRIVER ABUSE LINEAGESYSTEM SHUTDOWN INITIATED AFTER DESTRUCTION
Intelligence Graph · click any node to traverse
CVETechnique ActorTool Family
drag to reposition · click any node to traverse · button top-right enlarges
External lookups - second-class, for what we don’t hold ourselves
MITRE searchMalpediaGoogle
Vulnerabilities
CISA KEV catalog
CWE weaknesses
CAPEC attack patterns
Package vulnerabilities
Threat intelligence
Threat actors
Tools & malware
ATT&CK techniques
IOCs
Detection & defense
Sigma rules
YARA rules
Atomic Red Team tests
D3FEND countermeasures
Compliance
NIST 800-53
ISO 27001:2022
SOC 2 TSC
PCI-DSS v4.0
CIS Controls v8.1
About
All capabilities
Live statistics
Data sources
Privacy policy
Terms of service
threatengine.sh  ·  Open-source threat intelligence platform  ·  100+ authoritative sources  ·  Every fact traces to its origin