ESET Analysis has compiled a timeline of cyberattacks that used wiper malware and have occurred since Russia’s invasion of Ukraine in 2022
This blogpost presents a compiled overview of the disruptive wiper assaults that we’ve noticed in Ukraine for the reason that starting of 2022, shortly earlier than the Russian army invasion began. We had been in a position to attribute nearly all of these assaults to Sandworm, with various levels of confidence. The compilation consists of assaults seen by ESET, in addition to some reported by different respected sources like CERT-UA, Microsoft, and SentinelOne.
Be aware: Approximate dates (~) are used when the precise date of deployment in unsure or unknown. In some circumstances, the date of discovery or (within the case of non-ESET discoveries) the date of publication of the assault is used.
Amongst quite a few waves of DDoS attacks that had been focusing on Ukrainian establishments on the time, the WhisperGate malware struck on January 14th, 2022. The wiper masqueraded as ransomware, echoing NotPetya from June 2017 – a tactic that might even be seen in later assaults.
On February 23rd, 2022, a harmful marketing campaign utilizing HermeticWiper focused lots of of methods in not less than 5 Ukrainian organizations. This knowledge wiper was first noticed simply earlier than 17:00 native time (15:00 UTC): the cyberattack preceded, by only some hours, the invasion of Ukraine by Russian Federation forces. Alongside HermeticWiper, the HermeticWizard worm and HermeticRansom fake ransomware had been additionally deployed within the marketing campaign.
Invasion and spring wave
On February 24th, 2022, with the Ukrainian winter thawing away, a second harmful assault in opposition to a Ukrainian governmental community began, utilizing a wiper we’ve named IsaacWiper.
Additionally on the day of the invasion, the AcidRain wiper marketing campaign focused Viasat KA-SAT modems, with spillover exterior of Ukraine as properly.
One other wiper, initially disclosed by Microsoft, is DesertBlade, reportedly deployed on March 1st, 2022 and once more round March 17th, 2022. The identical report additionally mentions assaults utilizing wipers from the Airtight marketing campaign, particularly HermeticWiper (Microsoft calls it FoxBlade) round March tenth, 2022, HermeticRansom (Microsoft calls it SonicVote) round March 17th, 2022, and an assault round March 24th, 2022 utilizing each HermeticWiper and HermeticRansom.
CERT-UA reported on its discovery of the DoubleZero wiper on March 17th, 2022.
On March 14th, 2022, ESET researchers detected an assault utilizing CaddyWiper, which focused a Ukrainian financial institution.
On April 1st, 2022, we detected CaddyWiper once more, this time being loaded by the ArguePatch loader, which is often a modified, reliable binary that’s used to load shellcode from an exterior file. We detected the same state of affairs on Might sixteenth, 2022, the place ArguePatch took the type of a modified ESET binary.
We additionally detected the ArguePatch-CaddyWiper tandem on April 8th, 2022, in maybe probably the most formidable Sandworm assaults for the reason that starting of the invasion: their unsuccessful try and disrupt the circulation of electrical energy utilizing Industroyer2. Along with ArguePatch and CaddyWiper, on this incident, we additionally found wipers for non-Home windows platforms: ORCSHRED, SOLOSHRED, and AWFULSHRED. For particulars, see the notification by CERT-UA, and our WeLiveSecurity blogpost.
A quieter summer season
The summer season months noticed fewer discoveries of recent wiper campaigns in Ukraine as in comparison with the earlier months, but a number of notable assaults did happen.
We now have labored along with CERT-UA on circumstances of ArguePatch (and CaddyWiper) deployments in opposition to Ukrainian establishments. The primary incident befell within the week beginning June 20th, 2022, and one other on June 23rd, 2022.
With temperatures dropping in preparation for the northern winter, on October 3rd, 2022 we detected a brand new model of CaddyWiper deployed in Ukraine. In contrast to the beforehand used variants, this time CaddyWiper was compiled as an x64 Home windows binary.
On October 5th, 2022, we recognized a brand new model of HermeticWiper that had been uploaded to VirusTotal. The performance of this HermeticWiper pattern was the identical as within the earlier cases, with a number of minor modifications.
On October 11th, 2022, we detected Status ransomware being deployed in opposition to logistics corporations in Ukraine and Poland. This marketing campaign was additionally reported by Microsoft.
On the identical day, we additionally recognized a beforehand unknown wiper, which we named NikoWiper. This wiper was used in opposition to an organization within the power sector in Ukraine. NikoWiper relies on the SDelete Microsoft command line utility for securely deleting recordsdata.
On November 11th, 2022, CERT-UA published a blogpost about an assault utilizing the Somnia fake ransomware.
On November 21st, 2022, we detected in Ukraine new ransomware written in .NET that we named RansomBoggs. The ransomware has a number of references to the film Monsters, Inc. We noticed that the malware operators used POWERGAP scripts to deploy this filecoder.
In 2023 the disruptive assaults in opposition to Ukrainian establishments proceed.
On January 1st, 2023, we detected execution of the SDelete utility at a Ukrainian software program reseller.
One other assault utilizing a number of wipers, this time in opposition to a Ukrainian information company, befell on January 17th, 2023, according to CERT-UA. The next wipers had been detected on this assault: CaddyWiper, ZeroWipe, SDelete, AwfulShred, and BidSwipe. BidSwipe is noteworthy, as it’s a FreeBSD OS wiper.
On January 25th, 2023, we detected a brand new wiper, written in Go and that we named SwiftSlicer, being deployed in opposition to Ukrainian native authorities entities.
In nearly all of the above-mentioned circumstances, Sandworm used Energetic Listing Group Coverage (T1484.001) to deploy its wipers and ransomware, particularly utilizing the POWERGAP script.
The usage of disruptive wipers – and even wipers masquerading as ransomware – by Russian APT teams, particularly Sandworm, in opposition to Ukrainian organizations is hardly new. Since round 2014, BlackEnergy employed disruptive plugins; the KillDisk wiper was a standard denominator in Sandworm assaults up to now; and the Telebots subgroup has launched quite a few wiper assaults, most infamously NotPetya.
But the intensification of wiper campaigns for the reason that army invasion in February 2022 has been unprecedented. On a constructive be aware, lots of the assaults have been detected and thwarted. Nonetheless, we proceed to observe the scenario vigilantly, as we anticipate the assaults to proceed.
ESET Analysis additionally presents non-public APT intelligence stories and knowledge feeds. For any inquiries about this service, go to the ESET Threat Intelligence web page
|SHA-1||Filename||ESET detection title||Description|
|189166D382C73C242BA45889D57980548D4BA37E||stage1.exe||Win32/KillMBR.NGI||WhisperGate stage 1 MBR overwriter.|
|A67205DC84EC29EB71BB259B19C1A1783865C0FC||N/A||Win32/KillFiles.NKU||WhisperGate stage 2 remaining payload.|
|48F54A1D93C912ADF36C79BB56018DEFF190A35C||ukcphone.exe||Win32/Agent.AECG||ArguePatch shellcode loader.|
|6FA04992C0624C7AA3CA80DA6A30E6DE91226A16||peremoga.exe||Win32/Agent.AECG||ArguePatch shellcode loader.|
|9CE1491CE69809F92AE1FE8D4C0783BD1D11FBE7||pa1.pay||Win32/KillDisk.NDA||Encrypted CaddyWiper shellcode.|
|3CDBC19BC4F12D8D00B81380F7A2504D08074C15||wobf.sh||Linux/KillFiles.C||AwfulShred Linux wiper.|
|8FC7646FA14667D07E3110FE754F61A78CFDE6BC||wsol.sh||Linux/KillFiles.B||SoloShred Solaris wipe.|
|796362BD0304E305AD120576B6A8FB6721108752||eset_ssl_filtered_cert_importer.exe||Win32/Agent.AEGY||ArguePatch shellcode loader.|
|8F3830CB2B93C21818FDBFCF526A027601277F9B||spn.exe||Win32/Agent.AEKA||ArguePatch shellcode loader.|
|3D5C2E1B792F690FBCF05441DF179A3A48888618||mslrss.exe||Win32/Agent.AEKA||ArguePatch shellcode loader.|