Threat Response – Situation in Ukraine


In the night of the 23rd of February, Russia has initiated attacks on Ukraine. With this threat response we want to inform you of the cyber component of these attacks. Events are moving in rapid succession, this is a first look at what we know now with regards to the digital safety of people and organisations.


Ukrainian governmental and financial institutions have been dealing with DDoS attacks for some time [1]. DDos (Distributed Denial of Service) attacks are attacks carried out by a collection of computers or other devices that simultaneously attempt to disable a computer(network) or service [2]. The purpose of these attacks are to make organisations unreachable or to make them stop functioning. This can have direct consequences in the civil society such as panic and uncertainty.Furthermore, a new malware, HermeticWiper, is reported to have disabled several hundreds of computers in Ukraine [3,4]. HermeticWiper is a so called wiper. Wipers are a type of malware that aim to erase files and make computers permanently unusable. It appears that the attackers have had access to the networks of organisations for some time, and chose this moment to launch the malware [4]. Ransomware groups use the same modus operandi, with the difference being that in this case systems are being destroyed instead of encrypted.


The affected Ukrainian governmental and financial institutions are poorly or not accessible as a result of the DDoS attacks. This can have an impact on your organization if you do business with Ukrainian organizations.

The impact of HermeticWiper is that if one or more of your machines is affected, these machines could be wiped and rendered useless. As such, the impact is high


If your organization has network connections to Ukrainian locations or business units, there is a risk that your systems could be infected with HermeticWiper, or other unknown and yet to be discovered malware. Although it is not known how this malware spreads, Northwave classifies the risk as high if there are network connections to Ukrainian locations or organizations. For the time being, it seems that these cyber attacks are only aimed at Ukrainian organizations. Northwave considers the risk low for non-Ukrainian organizations that do not have locations or network connections in or with Ukraine.


If you use Northwave’s EDRS service via ESET or Microsoft Defender you are protected against the currently known form of HermeticWiper.

If you have network connections with Ukrainian locations or business units, you can consider disconnecting, isolating or heighten monitoring on these connections.

What should you do?

Verify if you have network connections to Ukrainian locations or business units. If so, consider disconnecting, isolating or heighten monitoring on these connections.

For the time being, just as in the normal situation, there is not one solution that covers everything. Vigilance is always advised. Take a layered and integrated security approach.

What will Northwave do?

Northwave will monitor any developments regarding this situation. If new critical information about this threat arises we will reach out to you. If you need additional information you can call us by phone or send us an email.

E-mail: [email protected]Do you have an incident right now? Call our CERT number: +31 (0)85 043 7909 or 0800-1744 (alleen vanuit Nederland)




Northwave has made every effort to make this information accurate and reliable. However, the information provided is without warranty of any kind and its use is at the sole risk of the user. Northwave does not accept any responsibility or liability for the accuracy, content, completeness, legality or reliability of the information provided. We shall not be liable for any loss or damage of whatever nature, direct or indirect, consequential or other, whether arising in contract, tort or otherwise, which may arise as a result of your use of, or inability to use, this information or any additional information provided by us in direct or indirect relation to the information provided here.