Nixu Threat Intelligence Bulletin #3: Russia's War in Ukraine

Nixu Threat Intelligence Team

Threat Intelligence Team

March 2, 2022 at 14:00


Cyberattacks on financial services and banking are causing us to re-evaluate our threat assessment for the sectors. Meanwhile, new wiper attacks were discovered attacking Ukrainian organizations.

Financial Services & Banking  

The war in Ukraine has had ramifications far outside its borders. Sanctions against the Russian government and private organizations have inspired cyberattacks on victims within Russia, Ukraine, and now elsewhere.

A group calling itself ATW or "AgainstTheWest" has declared that it is "standing against Russia and China" and has breached Russian state-owned Sberbank. The group claims to have exfiltrated data including DNS infrastructure, private keys for SSL, and the bank’s API.

Outside of the primary region of conflict, Nordea Bank, a large Nordic financial services group, has found itself the target of DDoS attacks. The specific targets were the company's online and mobile banking services in Finland, but impacts were felt by other Nordic customers. Certain Nordea services, including the mobile bank app and payment verification functions, have been either down or working very slowly since the evening of February 28. Nordea has stated that while slow, services are working normally, and no client information or assets have been endangered. Thus far, Nordea has not managed to attribute the origin of the attacks. However, considering the ongoing Western punitive measures to financially isolate Russia for its invasion of Ukraine, Nixu Threat Intelligence assesses with low confidence that these attacks are likely a part of retaliatory measures coming from Russia. This view is supported by the fact that the attacks did not aim for financial gain but instead were solely disruptive in nature.


In our previous update, we provided information on the HermeticWiper malware used to attack Ukrainian organizations. Now, researchers at ESET have uncovered a second wiper malware dubbed IsaacWiper.

IsaacWiper has been traced back to 24 February when it was used destructively on a Ukrainian government network by wiping disk drives. The malware is noticeably less sophisticated than HermeticWiper, and it is possible they are related, but this has not yet been established by researchers. The initial access vector for both of these malware programs is currently unknown. However, it is possible that Impacket was used to deploy and move the malware laterally. The remote access tool RemCom has been observed being deployed at the same time as IsaacWiper, but a definite link has not been established.

As of yet, the malware programs have not been attributed to a threat actor, but we assess with high confidence that they are directly related to the Russian invasion of Ukraine. To date, there are no signs of other countries being targeted.


  • Review your business continuity plans to align them to the changes in Europe and Russia.
  • Harden all systems to proactively protect against potential threats (ex. MFA, Privileged Access Management, Review all authentication activity for remote access infrastructure, and isolate legacy systems)
  • More tips from Microsoft at
  • Prepare and practice your response to a potential DDoS attack. Think about how this could impact your customers.

Related blogs