ESET Analysis has compiled a timeline of cyberattacks that used wiper malware and have occurred since Russia’s invasion of Ukraine in 2022
This blogpost presents a compiled overview of the disruptive wiper assaults that we’ve got noticed in Ukraine for the reason that starting of 2022, shortly earlier than the Russian navy invasion began. We had been capable of attribute the vast majority of these assaults to Sandworm, with various levels of confidence. The compilation contains assaults seen by ESET, in addition to some reported by different respected sources like CERT-UA, Microsoft, and SentinelOne.
Be aware: Approximate dates (~) are used when the precise date of deployment in unsure or unknown. In some circumstances, the date of discovery or (within the case of non-ESET discoveries) the date of publication of the assault is used.
Amongst quite a few waves of DDoS attacks that had been concentrating on Ukrainian establishments on the time, the WhisperGate malware struck on January 14th, 2022. The wiper masqueraded as ransomware, echoing NotPetya from June 2017 – a tactic that will even be seen in later assaults.
On February 23rd, 2022, a damaging marketing campaign utilizing HermeticWiper focused a whole bunch of programs in at the very least 5 Ukrainian organizations. This information wiper was first noticed simply earlier than 17:00 native time (15:00 UTC): the cyberattack preceded, by just a few hours, the invasion of Ukraine by Russian Federation forces. Alongside HermeticWiper, the HermeticWizard worm and HermeticRansom fake ransomware had been additionally deployed within the marketing campaign.
Invasion and spring wave
On February 24th, 2022, with the Ukrainian winter thawing away, a second damaging assault towards a Ukrainian governmental community began, utilizing a wiper we’ve got named IsaacWiper.
Additionally on the day of the invasion, the AcidRain wiper marketing campaign focused Viasat KA-SAT modems, with spillover exterior of Ukraine as nicely.
One other wiper, initially disclosed by Microsoft, is DesertBlade, reportedly deployed on March 1st, 2022 and once more round March 17th, 2022. The identical report additionally mentions assaults utilizing wipers from the Airtight marketing campaign, particularly HermeticWiper (Microsoft calls it FoxBlade) round March tenth, 2022, HermeticRansom (Microsoft calls it SonicVote) round March 17th, 2022, and an assault round March 24th, 2022 utilizing each HermeticWiper and HermeticRansom.
CERT-UA reported on its discovery of the DoubleZero wiper on March 17th, 2022.
On March 14th, 2022, ESET researchers detected an assault utilizing CaddyWiper, which focused a Ukrainian financial institution.
On April 1st, 2022, we detected CaddyWiper once more, this time being loaded by the ArguePatch loader, which is often a modified, legit binary that’s used to load shellcode from an exterior file. We detected an analogous state of affairs on Could sixteenth, 2022, the place ArguePatch took the type of a modified ESET binary.
We additionally detected the ArguePatch-CaddyWiper tandem on April 8th, 2022, in maybe probably the most formidable Sandworm assaults for the reason that starting of the invasion: their unsuccessful try and disrupt the movement of electrical energy utilizing Industroyer2. Along with ArguePatch and CaddyWiper, on this incident, we additionally found wipers for non-Home windows platforms: ORCSHRED, SOLOSHRED, and AWFULSHRED. For particulars, see the notification by CERT-UA, and our WeLiveSecurity blogpost.
A quieter summer time
The summer time months noticed fewer discoveries of recent wiper campaigns in Ukraine as in comparison with the earlier months, but a number of notable assaults did happen.
We have now labored along with CERT-UA on circumstances of ArguePatch (and CaddyWiper) deployments towards Ukrainian establishments. The primary incident occurred within the week beginning June 20th, 2022, and one other on June 23rd, 2022.
With temperatures dropping in preparation for the northern winter, on October 3rd, 2022 we detected a brand new model of CaddyWiper deployed in Ukraine. In contrast to the beforehand used variants, this time CaddyWiper was compiled as an x64 Home windows binary.
On October 5th, 2022, we recognized a brand new model of HermeticWiper that had been uploaded to VirusTotal. The performance of this HermeticWiper pattern was the identical as within the earlier cases, with a couple of minor adjustments.
On October 11th, 2022, we detected Status ransomware being deployed towards logistics corporations in Ukraine and Poland. This marketing campaign was additionally reported by Microsoft.
On the identical day, we additionally recognized a beforehand unknown wiper, which we named NikoWiper. This wiper was used towards an organization within the vitality sector in Ukraine. NikoWiper is predicated on the SDelete Microsoft command line utility for securely deleting information.
On November 11th, 2022, CERT-UA published a blogpost about an assault utilizing the Somia fake ransomware.
On November 21st, 2022, we detected in Ukraine new ransomware written in .NET that we named RansomBoggs. The ransomware has a number of references to the film Monsters, Inc. We noticed that the malware operators used POWERGAP scripts to deploy this filecoder.
In 2023 the disruptive assaults towards Ukrainian establishments proceed.
On January 1st, 2023, we detected execution of the SDelete utility at a Ukrainian software program reseller.
One other assault utilizing a number of wipers, this time towards a Ukrainian information company, occurred on January 17th, 2023, according to CERT-UA. The next wipers had been detected on this assault: CaddyWiper, ZeroWipe, SDelete, AwfulShred, and BidSwipe. BidSwipe is noteworthy, as it’s a FreeBSD OS wiper.
On January 25th, 2023, we detected a brand new wiper, written in Go and that we named SwiftSlicer, being deployed towards Ukrainian native authorities entities.
In nearly all of the above-mentioned circumstances, Sandworm used Energetic Listing Group Coverage (T1484.001) to deploy its wipers and ransomware, particularly utilizing the POWERGAP script.
The usage of disruptive wipers – and even wipers masquerading as ransomware – by Russian APT teams, particularly Sandworm, towards Ukrainian organizations is hardly new. Since round 2014, BlackEnergy employed disruptive plugins; the KillDisk wiper was a typical denominator in Sandworm assaults up to now; and the Telebots subgroup has launched quite a few wiper assaults, most infamously NotPetya.
But the intensification of wiper campaigns for the reason that navy invasion in February 2022 has been unprecedented. On a optimistic word, most of the assaults have been detected and thwarted. Nonetheless, we proceed to watch the state of affairs vigilantly, as we anticipate the assaults to proceed.
ESET Analysis additionally provides non-public APT intelligence reviews and information feeds. For any inquiries about this service, go to the ESET Threat Intelligence web page
|SHA-1||Filename||ESET detection identify||Description|
|189166D382C73C242BA45889D57980548D4BA37E||stage1.exe||Win32/KillMBR.NGI||WhisperGate stage 1 MBR overwriter.|
|A67205DC84EC29EB71BB259B19C1A1783865C0FC||N/A||Win32/KillFiles.NKU||WhisperGate stage 2 last payload.|
|48F54A1D93C912ADF36C79BB56018DEFF190A35C||ukcphone.exe||Win32/Agent.AECG||ArguePatch shellcode loader.|
|6FA04992C0624C7AA3CA80DA6A30E6DE91226A16||peremoga.exe||Win32/Agent.AECG||ArguePatch shellcode loader.|
|9CE1491CE69809F92AE1FE8D4C0783BD1D11FBE7||pa1.pay||Win32/KillDisk.NDA||Encrypted CaddyWiper shellcode.|
|3CDBC19BC4F12D8D00B81380F7A2504D08074C15||wobf.sh||Linux/KillFiles.C||AwfulShred Linux wiper.|
|8FC7646FA14667D07E3110FE754F61A78CFDE6BC||wsol.sh||Linux/KillFiles.B||SoloShred Solaris wipe.|
|796362BD0304E305AD120576B6A8FB6721108752||eset_ssl_filtered_cert_importer.exe||Win32/Agent.AEGY||ArguePatch shellcode loader.|
|8F3830CB2B93C21818FDBFCF526A027601277F9B||spn.exe||Win32/Agent.AEKA||ArguePatch shellcode loader.|
|3D5C2E1B792F690FBCF05441DF179A3A48888618||mslrss.exe||Win32/Agent.AEKA||ArguePatch shellcode loader.|
Phishing Domains Tanked After Meta Sued Freenom – Krebs on Safety
Researchers discover new ICS malware toolkit designed to trigger electrical energy outages
2 Lenses for Inspecting the Security of Open Supply Software program
Shedding mild on AceCryptor and its operation
The MitM assault that actually had a Man within the Center – Bare Safety