A data wiper was likely used to disrupt refugees escaping the war in Ukraine.

A data wiper attack slowed the process of refugees leaving Ukraine for Romania, a cybersecurity expert crossing the border told VentureBeat.

According to Chris Kubecka, long queues at the border formed at least in part because a wiper attack made the Ukrainian side fall back to using pen and paper amidst systems disruptions.

Ukrainian agents at the border crossing spoke with Kubecka, saying they were under the impression it was the same malware that hit the Ukrainian government websites.

According to the UN refugee agency, over 368,000 people have already fled their homes. Millions more could follow if the fighting spreads, Ukrainian authorities have said.

Residential building in Kyiv, hit with a Russian cruise missile on February 25.

Spillover effect

Symantec reported finding evidence that the same wiper that was used against Ukraine was also used in attacks against machines in Lithuania.

The Baltic nation is a NATO member, causing concern over a cyber spillover effect.

However, according to Lithuanian authorities, no incidents associated with the malware, dubbed HermeticWiper by security researchers, were observed in the country.

“No cyber incidents that could be directly associated with this [HermeticWiper] malware were observed,” the Lithuanian Ministry of Defense told Cybernews.

According to Chester Wisniewski, a principal research scientist at Sophos, organizations in countries surrounding Ukraine should be prepared to be drawn into any online mischief, even if they are not operating directly inside Ukraine.

“From a global perspective, we should expect a range of “patriotic” freelancers in Russia, by which I mean ransomware criminals, phish writers and botnet operators, to lash out with even more fervor than normal at targets perceived to be against the Motherland,” Wisniewski said in a blog post.

HermeticWiper malware

Security researchers at Symantec and ESET first observed the malware last week. According to a blog post by Symantec, attackers deployed a disk-wiping malware (Trojan.Killdisk) shortly before Russian forces crossed the Ukrainian border.

The wiper contains driver files that eventually damage the Master Boot Record (MBR) of the infected computer, rendering it inoperable.

According to Crowdstrike, the attackers misused legitimate EaseUS Partition Master drivers to gain raw disk access and manipulate the disk to make the system inoperable.

The wiper was dubbed HermeticWiper since the malware’s certificate was issued to Hermetica Digital Ltd., a legitimate Cyprus-based company. Other researchers named the novel malware ‘DriveSlayer.’

CISA released an advisory on the malware that targeted organizations in Ukraine, with recommendations and strategies to prepare for and respond to the threat.

The recent use of the wiper malware makes it a second time this year threat actors used similar cyber tactics against Ukraine.

In January, researchers discovered a set of malware dubbed WhipserGate that affected government organizations in Ukraine.

More from Cybernews:

Russian ombudsman website got hacked and defaced

Hackers sound call to arms with digital weapon aimed at Russian websites

The cyber army needs you, urges new app

Hero hackers claim to have breached Belarusian weapons firm

Anonymous leaks database of the Russian Ministry of Defence

Subscribe yo our newsletter