A fierce battle is fought in cyberspace over Russia's invasion of Ukraine.

Analysis of a computer virus found in a Ukrainian device that was hit by a cyberattack revealed that it is a new type of virus that is extremely destructive and can fundamentally destroy the system.



This virus can be called a new "cyber weapon".

A leading computer virus analysis expert in Japan said, "Neither Japan nor other countries are a thing. If attacked, the function of the organization will stop and the scale of damage will be enormous, and the horror will be immeasurable." Warned of preparations.

■ If infected, it will be "unrecoverable" ...

1. Infection

"Then I'll infect you"



A gift box-like icon displayed on your computer screen.

This is a new type of computer virus.

Open the file and infect it.

At first glance, nothing seems to change.

2. After about 30 minutes ...

However, after about 30 minutes ...



A message such as "There was a problem with the device" was displayed on the screen.



Then it shut down and restarted.

3. OS does not work

However, even if the screen came up again, the basic software that runs the computer = the OS stopped working.



It is a new type of computer virus "Hermetic Wiper" used in cyber attacks in Ukraine.



An analysis by Takashi Yoshikawa of Mitsui Bussan Secure Direction has revealed the danger.

■ Wiper type virus

Viruses that have the function of deleting or destroying data one after another like a vacuum cleaner (= wiper) when infected are called wipers, and several have been found so far.



It has been pointed out that the virus called "Olympic Destroyer" used in the cyber attack of the 2018 Pyeongchang Olympics may have caused damage such as the inability to connect to the tournament website.



At the Tokyo Olympics last year, a wiper-type virus was found, although no damage was revealed.

■ "Very dangerous and vicious"

According to Mr. Yoshikawa, the virus found this time seems to be particularly malicious compared to the past.



It destroys storage areas called "boot sectors" that contain important programs for booting computers.

Once infected, the computer will never be usable.



There was also a function to stop the backup function of Windows and prevent recovery.



Furthermore, the virus itself was eventually destroyed.

It is thought that this is to erase the traces.



The new virus has announced that Slovak security company ESET has confirmed that it has been installed on hundreds of devices in Ukraine on February 24 (Japan time) when Russia's invasion of Ukraine began. ..



(Mr. Yoshikawa)


"There is a mechanism to completely destroy the computer so that it cannot be recovered. It is intended to cause confusion or malfunction of Ukrainian organizations, and it is extremely dangerous and vicious. I feel it's a virus "

■ Security defense A device that skillfully slips through ...

Further investigation revealed that it also had advanced gimmicks that skillfully slipped through security defenses.

1. "Digital certificate"

One of the tricks was that it had a "digital certificate" to show that the file was legitimate.

Some antivirus software may decide to exclude legitimate files from detection if they have such a certificate so that even legitimate files will not be detected by mistake, and there is an intention to abuse it. It seems that it was.



(Mr. Yoshikawa)


"When the skill level of the attacker becomes high, such a technique is rarely used."

2. More than 70% of programs are legitimate software

Further analysis of the programs that make up the virus revealed that more than 70% of them were made with legitimate software that anyone could use.

It is believed that the purpose is to bypass the security functions of personal computers and avoid the detection of security software by incorporating a lot of legitimate software.

■ "Interfering with analysts" There are also clever gimmicks with work habits ...

The virus also had a mechanism to interfere with analysts like Mr. Yoshikawa.



Knowing exactly what a virus does is an extremely important task in order not to identify or spread the extent of damage.

Therefore, it is necessary to open the virus file on the computer and infect it to check the behavior of the virus.

In this case, the point was to determine the behavior of the restart, but this was not done at the beginning and the analysis was delayed.



Why ... When I



investigated it in detail, the reason was the file name.


Unless the name of the virus file started with "C", it was set to prevent a reboot.

According to Mr. Yoshikawa, it is common for analysts to work after rewriting a virus file to an arbitrary name, for example, "virus.exe" in order to distinguish it from other files.



It was a clever gimmick with the work habits of the analyst.



The analyst who changed the file name noticed that the restart was not performed, and thought, "Isn't the file I opened different from the one that caused the damage?", And it may be confusing. There is.



In addition, there are cases where the file name is changed to another character string in the automatic analysis system introduced by companies, etc., in which case the correct result may not be obtained.



(Mr. Yoshikawa)


"This technique is extremely rare. I feel that it is a fairly conceived mechanism that confuses the analyst and causes the automatic analysis system to fail."

■ "It's like a virus demonstration battle ..."

<Strategic> Ransomware attracts attention, and I like it ...

Mr. Yoshikawa pointed out points of further concern.



Since mid-February, when this new virus was sent, more than seven types of Ukrainian-related viruses have been found, including the analyzed wiper-type virus.



Various viruses were found, but some of them were ransomware called "Hermetic Ransom".



Ransomware is causing great damage in Japan as well, including the infection of computers at Toyota's business partners and hospitals in Tokushima Prefecture.



It is said that there is a high degree of strategicity in trying to attract attention to these viruses and secretly invade this wiper-type virus.



It was like a demonstration battle.



(Mr. Yoshikawa)


"Ransomware has been a hot topic lately, so I think it will attract attention when damage occurs. However, I think there was a real aim to keep the wiper moving behind it."

<Planning> "Is the virus invasion route already secured at the attack stage?"

The plan of the attacker who sent the virus has also become apparent.



We were investigating two specimens found in this wiper-type virus, and there was a history that one of them was created on December 28, last year (standard time).

This was about two months before the invasion of Ukraine.



The other was made in a short period of time on February 23, just before the invasion.



In order to infect a computer with a virus, it is aimed at places with vulnerabilities in networks and devices.



Mr. Yoshikawa points out, "I think we had already secured a route for the virus to invade at the stage of attack."

■ "Exactly a new type of cyber weapon"

As pointed out so far, the newly discovered virus has the following characteristics.


1. Destructive power that uproots the system


2. Breakthrough power that slips through strong security


3. Function that refuses analysis for recovery and countermeasures


4. Strategic and planning of positive action battles



Considering these things, It can be said that this virus was designed and used based on an extremely sophisticated and strategic plan.



And earlier this month, it was also reported that another wiper-type virus was used in the alleged hacking of the communications satellite network during this invasion of Ukraine.



Mr. Yoshikawa says that the situation where the system of the recording area of ​​the terminal is destroyed by aiming at the root of the system and the related viruses are discovered one after another can be regarded as a "new type of cyber weapon".

■ Who on earth ...?

Who created such a virus and targeted and invaded Ukrainian computers?

There is no solid evidence.

According to Mr. Yoshikawa, some hacker groups who have attacked Ukrainian companies in the past and have been pointed out to be involved with the Russian government are using the method of destroying the storage area like this time. ..



(Mr. Yoshikawa)


"Although it is quite possible that Russia has launched it, there is no evidence to conclude that. It is clear that a person backed by high technology launched an attack with strong malicious intent."

■ "May be used to attack government agencies and important organizations around the world ..."

On the other hand, the concern is that these destructive viruses could be used all over the world.



According to Mr. Yoshikawa, cyber attacks are easier for third parties to obtain, compared to physical attacks such as nuclear weapons, and there is a good chance that they will be "reused" by other attacks. There is.



In particular, this virus is designed to work in any environment, so all you have to do is take measures to prevent the third party who obtained it from being detected, reuse it, and send it to the target organization to infect it. It is technically possible to cause the same great damage.



Mr. Yoshikawa points out that such destructive computer viruses may be used to attack government agencies and important organizations around the world in the future.



(Mr. Yoshikawa)


"Neither Japan nor other countries are a thing. Especially in the situation of global conflict, there is a possibility that an attack aimed at confusion or damage will be carried out. Once attacked, the organization's The scale of damage is enormous and horrifying because it will stop functioning. ”



There are no borders in the cyber space, and the physical distance is not related to virus infection.



A computer virus that can cause immense damage.



The threat is approaching us day by day.