Today is a dark day. Russia has launched a military invasion of Ukraine, and alongside the physical assault, we’re witnessing one of the most significant cyber operations ever deployed in conjunction with conventional warfare. Security researchers at ESET and Symantec have identified a new destructive malware dubbed “HermeticWiper” that has been deployed against Ukrainian organizations. This isn’t ransomware looking for a payout — it’s pure destruction, designed to render systems unbootable.
What HermeticWiper Does#
The technical details emerging from ESET’s analysis paint a picture of deliberate, targeted destruction. HermeticWiper abuses legitimate drivers from the EaseUS Partition Master software to gain low-level disk access, then systematically corrupts the Master Boot Record (MBR) and partition tables. It targets the first 512 bytes of every physical drive, effectively destroying the system’s ability to boot.
What’s particularly noteworthy is the compilation timestamp on the malware samples: December 28, 2021. This suggests the operation was planned months in advance, well before the diplomatic situation reached its current crisis point. The certificate used to sign the malware was issued to a Cypriot company called “Hermetica Digital Ltd” — hence the name — and appears to have been obtained specifically for this purpose.
This isn’t a vulnerability exploit or a clever zero-day. It’s a brute-force destructive tool, and its effectiveness comes from the coordinated timing of its deployment, not from technical sophistication.
The Broader Cyber Campaign#
HermeticWiper didn’t arrive in isolation. Over the past weeks, Ukrainian government websites were defaced and taken offline in DDoS attacks. A separate piece of malware called WhisperGate was discovered targeting Ukrainian systems back in January, using a similar wiper approach disguised as ransomware. Microsoft’s Threat Intelligence Center documented that campaign in mid-January.
What we’re seeing is the operational integration of cyber capabilities with conventional military operations. DDoS attacks to disrupt communications, wiper malware to destroy data and systems, phishing campaigns against government officials — all synchronized with physical military movements. This is what cyber warfare theorists have been warning about for years, and it’s now playing out in real time.
Implications for the Rest of Us#
If you’re not operating in Ukraine, you might be tempted to think this doesn’t affect you. I’d push back on that. Hard.
First, there’s the direct risk of spillover. NotPetya in 2017 was deployed as a targeted attack against Ukrainian tax software but ended up causing over $10 billion in damages worldwide, hitting Maersk, FedEx, Merck, and countless others. Destructive malware doesn’t respect borders or IP address ranges. CISA has issued a “Shields Up” advisory urging all organizations to adopt a heightened cybersecurity posture.
Second, the tactics being used here will be studied, refined, and replicated by threat actors worldwide. The playbook of combining wipers with legitimate signed drivers to bypass security tools is now public knowledge. Expect to see variations of this approach in criminal malware within months.
Third, this situation highlights the absolute criticality of offline backups and disaster recovery plans. Wiper malware doesn’t give you a negotiation option. There’s no decryption key to buy. Your data is gone, your systems are bricked, and your recovery time is measured by how good your backup strategy is.
Practical Steps for Defense#
I’ve spent this morning reviewing our own security posture, and here’s what I’d recommend every team prioritize:
Backup verification: Not “do you have backups” but “have you tested a full restore this quarter?” Offline, air-gapped backups are your last line of defense against wipers.
Network segmentation: If wiper malware gets into one system, can it reach your entire infrastructure? Flat networks are wiper playgrounds.
Endpoint detection: Ensure your EDR solutions are updated. The security community is actively sharing indicators of compromise (IOCs) for HermeticWiper — make sure your tools can detect them.
Patch aggressively: This is always good advice, but right now it’s critical. Known vulnerabilities are the easiest path in, and state-sponsored actors have deep catalogs of exploits.
Monitor for anomalies: Unusual authentication patterns, unexpected administrative tool usage, large-scale file modifications — these are the signals that precede a wiper deployment.
My Take#
I’ve been working in tech for three decades, and I’ve watched cybersecurity evolve from an afterthought to a boardroom concern. But watching malware deployed in coordination with missiles and tanks hits different. This isn’t a theoretical exercise anymore.
For those of us who build and maintain systems, today is a reminder that security isn’t a feature — it’s a fundamental responsibility. The systems we build, the data we steward, the infrastructure we operate — these things matter to real people. When those systems are destroyed, real consequences follow.
My thoughts are with the people of Ukraine today. For the rest of us, the best thing we can do professionally is take the CISA Shields Up guidance seriously and make sure our own houses are in order. The threat landscape just changed permanently.