© Reuters. A man rides his motorcycle in front of St. George’s Church in the Ayios Dhometios suburb of Nicosia, Cyprus, Feb. 24, 2022. REUTERS/Yiannis Kourtoglou
By Michele Kambas and James Pearson
NICOSIA/LONDON (Reuters) – A 24-year-old video game designer who runs his small business out of a house next to an old Cypriot church in a quiet suburb of Nicosia is now mired in a global crisis following Russia’s invasion of Ukraine.
Polis Trachonitis’ company, Hermetica Digital Ltd, has been implicated by US investigators in a data-shredding cyber attack that affected hundreds of computers in Ukraine, Lithuania and Latvia.
The cyber attack was discovered Wednesday night, just hours before Russian forces invaded Ukraine, and was widely seen as the opening salvo of the invasion of Moscow.
The malware was signed with a digital certificate with the name Hermetica Digital on it, according to the researchers, some of whom have come to call the malicious code “HermeticWiper” because of the connection.
Trachonitis told Reuters it had nothing to do with the attack. He said he had never applied for a digital certificate and had no idea that one had been issued to his company.
He said his role in the video game industry is just to write the lyrics for games that others have put together.
“I don’t even write the code — I write stories,” he said, adding that he was not aware of the link between his company and the Russian invasion until told by a Reuters reporter Thursday morning.
“I’m just a Cypriot man … I have no connection with Russia.”
The extent of damage caused by the malware attack was not clear, but cybersecurity firm ESET said the malicious code was installed on “hundreds of machines”.
Western leaders have been warning for months that Russia could carry out destructive cyber attacks on Ukraine ahead of an invasion.
Last week, Britain and the United States said Russian military hackers were behind a spate of Distributed Denial of Service (DDoS) attacks that briefly took Ukrainian banks and government websites offline.
Cyber spies routinely steal the identities of random strangers to rent server space or register malicious websites.
The Hermetica Digital certificate was issued in April 2021, but the timestamp on the malicious code itself was December 28, 2021.
ESET researchers said in a blog post that those data suggested that “the attack may have been in the works for a while.”
If, as is widely believed by cybersecurity experts and US defense officials, the attacks were carried out by Russians, the timestamps are potentially important data points for observers hoping to understand when the plan to invade Ukraine came about.
Jean-Ian Boutin, head of ESET’s threat research, told Reuters that there are several ways for a malicious actor to fraudulently obtain a code signing certificate.
“Of course they can get it themselves, but they can also buy it on the black market,” says Boutin.
“As such, it’s possible that the operation goes back further than we knew before, but it’s also possible that the threat actor recently obtained this code-signing certificate just for this campaign.”
Ben Read, director of cyber-espionage analysis at Mandiant, said it is possible that a group could “impersonate a company in communication with a company that provides digital certificates and obtain a legitimate certificate fraudulently”.
Cybersecurity firm Symantec (NASDAQ:) said organizations in the financial, defense, aviation and IT services sectors were the target of Wednesday’s attack. DigiCert, the company that issued the digital certificate, did not immediately respond to a request for comment.
Juan-Andres Guerrero-Saade, cybersecurity researcher at a digital security firm SentinelOne (NYSE:), said the purpose of the attack was clear: “This was intended to deal damage, disable, signal and deal damage.”