Cypriot IT company denies links to malware found before Russian invasion

• On February 23rd, the threat intelligence community began observing a new wiper malware sample circulating in Ukrainian organizations.
• Our analysis shows a signed driver is being used to deploy a wiper that targets Windows devices, manipulating the MBR resulting in subsequent boot failure.
• This blog includes the technical details of the wiper, dubbed HermeticWiper, and includes IOCs to allow organisations to stay protected from this attack.
• This sample is actively being used against Ukrainian organizations, and this blog will be updated as more information becomes available.

A 24-year-old videogame designer who runs his small business out of a home next to an old Greek orthodox Cypriot church in a quiet suburb of Nicosia now finds himself involved in a global crisis following the Russian invasion of Ukraine.

Polis Trachonitis’ firm, Hermetica Digital Ltd, has been implicated by US researchers in a data-shredding cyber attack that hit hundreds of computers in Ukraine, Lithuania, and Latvia.

Discovered on Wednesday night just hours before Russian troops rolled into Ukraine, the cyber attack was widely seen as the opening salvo of Moscow’s invasion.

The malware had been signed using a digital certificate with Hermetica Digital’s name on it, according to the researchers, some of whom have started calling the malicious code “HermeticWiper” because of the connection.

Trachonitis told Reuters he had nothing to do with the attack. He said he never sought a digital certificate and had no idea one had been issued to his firm.

“I’m just a Cypriot guy .. I have no link to Russia.”