The article links cyber operations across the Russia-Ukraine war and the Israel-Hamas conflict, noting shared tactics like denial-of-service, propaganda, espionage, hacking, and defacement. It highlights HermeticWiper, Industroyer2, and decoy ransomware such as PartyTicket to illustrate how destructive malware targets infrastructure and shapes public perception.
#HermeticWiper #BIBIWiper #Industroyer2 #WhisperGate #WhisperKill #PartyTicket #Russia #Ukraine #Israel #Hamas #UkrainePowerGrid
#HermeticWiper #BIBIWiper #Industroyer2 #WhisperGate #WhisperKill #PartyTicket #Russia #Ukraine #Israel #Hamas #UkrainePowerGrid
Keypoints
- The article draws connections between cyber operations in the Russia-Ukraine war and the Israel-Hamas conflict, highlighting DoS, propaganda, cyber espionage, hacking, and defacing as common tactics.
- HermeticWiper is described as a new destructive malware variant that overwrites files, corrupts the MBR, and affects Ukrainian systems, and is associated with the decoy ransomware PartyTicket.
- HermeticWiper differs from BIBI Wiper in that it does not communicate with remote C2 servers, uses reversible encryption, or deploy ransom notes; instead it destroys data to harm systems.
- Industroyer2 targeted Ukraine’s energy grid, illustrating the potential for cyber operations to cause physical impacts, though responders neutralized it before activation.
- Russia-Ukraine cyber activity was more voluminous than Israel-Hamas activity, with state actors attempting to compromise Ukrainian critical infrastructure and attacks blocked (e.g., 4.6 million attacks mitigated by Quad9 on March 9).
- Social media and open-source efforts show information operations and pre-war deception, with events around Telegram/X platforms and attempts to shape perception, later debunked by OSINT and US intelligence.
MITRE Techniques
- [T1499] Endpoint Denial of Service – DoS attacks flood websites with excessive traffic, rendering them unavailable to legitimate users for extended periods. “Denial of Service Attacks: These attacks flood websites with excessive traffic, rendering them unavailable to legitimate users for extended periods.”
- [T1566] Phishing – Propaganda and misinformation campaigns leveraging social media bot networks to spread false information and influence opinions. “Perpetrators can easily use social media, often with the help of sophisticated bot networks, to spread false information, influence opinions, and damage reputations.”
- [T1041] Exfiltration Over C2 Channel – Cyber espionage involves infiltrating networks to monitor communications and access valuable trade secrets, enabling data exfiltration. “Cyber Espionage: State actors and cybercriminals may infiltrate networks to monitor communications, access valuable trade secrets and employ social engineering tactics.”
- [T1190] Exploit Public-Facing Application – Defacing often uses SQL injections to manipulate site content. “Defacing: Hackers often vandalize websites to convey political messages, usually using SQL injections to manipulate site content.”
- [T1485] Data Destruction – HermeticWiper destroys data by overwriting files and affecting the OS. “HermeticWiper…infiltrate Windows devices and incapacitate them by destroying files, corrupting the Master Boot Record (MBR), and affecting physical drives.”
- [T1486] Data Encrypted for Impact – Decoy ransomware (PartyTicket) deployed alongside wiper threats to imply ransom concepts. “decoy ransomware often deployed alongside wiper threats.” and the association with PartyTicket.
Indicators of Compromise
- [Malware] HermeticWiper, Industroyer2 – Mentioned as destructive/ICS-targeting malware in the article, illustrating malware used in these campaigns.
- [Malware] WhisperGate, PartyTicket – Referenced as earlier wiper and decoy ransomware components tied to the HermeticWiper discussion.
Read more: https://cyberint.com/blog/research/israel-hamas-vs-ukraine-russia-war/