Cypriot game maker denies links to malware discovered before Russian invasion

NICOSIA/LONDON, Feb 24 (Reuters) – A 24-year-old video game designer who runs his small business from a house next to a former Cypriot church in a quiet Nicosia suburb now finds himself embroiled in a global crisis at the following the Russian attack invasion of Ukraine.

Polis Trachonitis’ company, Hermetica Digital Ltd, was implicated by US researchers in a data destruction cyberattack that affected hundreds of computers in Ukraine, Lithuania and Latvia.

Discovered Wednesday evening just hours before Russian troops arrived in Ukraine, the cyberattack was widely seen as the first salvo in the invasion of Moscow. Read more

Join now for FREE unlimited access to Reuters.com

Register

The malware had been signed using a digital certificate bearing the name Hermetica Digital, according to the researchers, some of whom began calling the malicious code “HermeticWiper” due to the connection.

Trachonitis told Reuters it had nothing to do with the attack. He said he had never applied for a digital certificate and had no idea that a certificate had been issued to his company.

He stated that his role in the video game industry was simply to write the text for games that others created.

“I don’t even write code – I write stories,” he said, adding that he was unaware of his company’s connection to the Russian invasion until a Reuters reporter told him Thursday morning.

“I am only a Cypriot… I have no connection with Russia.”

The extent of the damage caused by the malware attack was unclear, but cybersecurity firm ESET said the malicious code was found installed on “hundreds of machines”.

Western leaders have warned for months that Russia could carry out destructive cyberattacks on Ukraine ahead of an invasion.

Last week, Britain and the United States said Russian military hackers were behind a series of distributed denial-of-service (DDoS) attacks that briefly took websites offline. Ukrainian banks and government. Read more

DIGITAL CERTIFICATE

Cyber ​​spies routinely steal the identities of random strangers to rent server space or register malicious websites.

The Hermetica Digital certificate was issued in April 2021, but the timestamp on the malicious code itself was December 28, 2021.

ESET researchers said in a blog post that these dates suggest “the attack may have been in progress for some time.”

If, as cybersecurity experts and US defense officials widely assume, the attacks were carried out by Russians, then the timestamps are potentially important data points for observers hoping to understand when the invasion plan of Ukraine materialized.

Jean-Ian Boutin, head of threat research at ESET, told Reuters that a malicious actor could fraudulently obtain a code-signing certificate in different ways.

“They can obviously get it themselves, but they can also buy it on the black market,” Boutin said.

“As such, it’s possible the operation goes back further than we previously knew, but it’s also possible the threat actor acquired this code-signing certificate recently, just for this campaign.”

Ben Read, director of cyber espionage analysis at Mandiant (MNDT.O), said it was possible that a group could “impersonate a company in communications with a company providing a digital certificate and obtain a legitimate certificate issued to him fraudulently”.

Cybersecurity firm Symantec said organizations in the finance, defense, aviation and IT services sectors were targeted in Wednesday’s attack. DigiCert, the company that issued the digital certificate, did not immediately respond to a request for comment.

Juan-Andres Guerrero-Saade, cybersecurity researcher at digital security firm SentinelOne (SN), said the purpose of the attack was clear: “It was aimed at damaging, disabling, reporting and causing havoc.”

Join now for FREE unlimited access to Reuters.com

Register

Reporting by Michele Kambas in Nicosia, and James Pearson and Raphael Satter in London Additional reporting by Christopher Bing in Washington Editing by Matthew Lewis

Our standards: The Thomson Reuters Trust Principles.

Comments are closed.