A year of wiper strikes in Ukraine
ESET Research has compiled a timeline of cyberattacks using wiper malware that have occurred since Russia’s invasion of Ukraine in 2022
This blog post presents a compiled overview of the annoying wiper attacks we’ve been observing in Ukraine since early 2022, shortly before the Russian military invasion began. We can attribute most of these attacks to Sandworm, with varying degrees of confidence. The compilation includes attacks seen by ESET, as well as some reported by other trusted sources such as CERT-UA, Microsoft, and SentinelOne.
Note: Estimated date (~) is used when the exact date of deployment is uncertain or unknown. In some cases, the discovery date or (in the case of non-ESET discovery) the attack publication date is used.
Among the many waves DDoS attack that had targeted Ukrainian institutions at the time, ie WhisperGate the malware hit on January 14thth2022. Wiper masquerades as ransomware, echoing NotPetya from June 2017 – a tactic that will also be seen in later attacks.
On February 23rd, 2022, a destructive campaign using HermeticWiper targeted hundreds of systems in at least five Ukrainian organizations. This data wipe was first spotted just before 17:00 local time (15:00 UTC): the cyber attack preceded, by only a few hours, the invasion of Ukraine by Russian Federation forces. Along with HermeticWiper, the HermeticWizard worm and HermeticRansom faux ransomware were also deployed in the campaign.
Invasion and spring tide
On February 24th2022, with the winter melting in Ukraine, the second destructive attack on the network of the Ukrainian government begins, using an eraser we named IsaacWiper.
Also on the day of the invasion, that is Acid rain the wiper campaign targets Viasat KA-SAT modems, with spillovers also outside Ukraine.
Another eraser, originally disclosed by Microsoft, is DesertBladereportedly deployed on March 1st2022 and again around March 17thth2022. The same report also mentions attacks using wipers from the Hermetic campaign, namely HermeticWiper (Microsoft calls it FoxBlade) around March 10, 2022, HermeticRansom (Microsoft calls it SonicVote) around March 17th2022, and the attacks around March 24thth2022 uses HermeticWiper and HermeticRansom.
CERT-UA reports its findings about DoubleZero eraser on March 17thth2022.
On March 14thth2022, ESET researchers detect an attack using CaddyWipertargeting Ukrainian banks.
On April 1st, 2022, we detect CaddyWiper again, this time loaded by the ArguePatch loader, which is usually a modified official binary used to load shell code from external files. We detected a similar scenario on May 16, 2022, where ArguePatch took shape modified ESET binary.
We also detected the ArguePatch-CaddyWiper tandem on April 8thth, 2022, perhaps the Sandworm’s most ambitious attack since the invasion’s inception: their failed attempt to disrupt the flow of electricity using Industroyer2. Besides ArguePatch and CaddyWiper, in this incident, we also found wipers for non-Windows platforms: ORCSHRED, SOLOSHRED, and AWFULSHRED. For details, see notification by CERT-UAand our WeLiveSecurity blog post.
Summers are quieter
The summer months saw fewer new wipeout campaign discoveries in Ukraine than in previous months, but some notable attacks did occur.
We have worked closely with CERT-UA on the case of implementing ArguePatch (and CaddyWiper) against Ukrainian institutions. The first incident occurred within a week of June 20th2022, and another on June 23rd2022.
With temperatures dropping in preparation for the northern winter, on Oct. 3rd, 2022 we detected a new version of CaddyWiper applied in Ukraine. Unlike the previously used variants, this time CaddyWiper is compiled as a Windows x64 binary.
On October 5thth, 2022, we identified a new version of HermeticWiper that has been uploaded to VirusTotal. The functionality of this HermeticWiper sample is the same as the previous example, with a few minor changes.
On October 11th, 2022, we detected Prestige ransomware used against logistics companies in Ukraine and Poland. This campaign too reported by Microsoft.
On the same day, we also identified a previously unknown eraser, which we named NikoWiper. These wipers were used against companies in the energy sector in Ukraine. NikoWiper is based on SDelete Microsoft command line utility for securely deleting files.
On November 11thth2022, CERT-UA published a blog post about the attack using the fake Somnia ransomware.
On November 21st2022, we detected in Ukraine a new ransomware written in .NET which we named RansomBoggs. The ransomware has many references to the movie Monsters, Inc. We observed that malware operators use POWERGAP scripts to use this filecoder.
In 2023, disturbing attacks on Ukrainian institutions continue.
On January 1st2023, we detected an execution SDelete utility in the Ukrainian software retailer.
Another attack using multiple wipers, this time against a Ukrainian news agency, occurred on 17 Januaryth2023, according to CERT-UA. The following wipers were detected in this attack: CaddyWiper, ZeroWipe, SDelete, AwfulShred, and BidSwipe. BidSwipe is noteworthy, as it is a FreeBSD OS wiper.
On January 25thth2023, we detected a new eraser, written in Go and we named it SwiftSlicerdeployed against Ukrainian local government entities.
In almost all of the cases mentioned above, Sandworm uses Active Directory Group Policy (T1484.001) to spread wipers and ransomware, specifically using the POWERGAP script.
The use of disruptive wipers – and even wipers disguised as ransomware – by Russian APT groups, notably Sandworm, against Ukrainian organizations is nothing new. Since circa 2014, BlackEnergy has been using annoying plugins; the KillDisk wiper was a common denominator in past Sandworm attacks; and the Telebots subgroup has launched many wipe-out attacks, the most famous of which is NotPetya.
But the intensification of the wipeout campaign since the military invasion in February 2022 is unprecedented. On a positive note, many attacks have been detected and thwarted. However, we continue to monitor the situation vigilantly, as we expect the attacks to continue.
ESET Research also offers private APT intelligence reports and data feeds. For any questions about this service, please visit ESET Threat Intelligence page
|SHA-1||File name||ESET detection name||Information|
|189166D382C73C242BA45889D57980548D4BA37E||stage1.exe||Win32/KillMBR.NGI||Overwrite the Stage 1 WhisperGate MBR.|
|A67205DC84EC29EB71BB259B19C1A1783865C0FC||N/A||Win32/KillFiles.NKU||WhisperGate stage 2 final payload.|
|912342F1C840A42F6B74132F8A7C4FFE7D40FB77||com. exe||Win32/KillDisk. NCV||Hermetic Wipers.|
|61B25D11392172E587D8DA3045812A66C3385451||conhosts. exe||Win32/KillDisk. NCV||Hermetic Wipers.|
|86906B140B019FDEDAAABA73948D0C8F96A6B1B42||dil||Linux/Acid Rain.A||Acid rain.|
|AD602039C6F0237D4A997D5640E92CE5E2B3BBA3||cl64. dll||Win32/KillMBR. NHP||IsaacWiper.|
|736A4CFAD1ED83A6A0B75B0474D5E01A3A36F950||cld. dll||Win32/KillMBR. NHQ||IsaacWiper.|
|E9B96E9B86FAD28D950CA428879168E0894D854F||clean. exe||Win32/KillMBR. NHP||IsaacWiper.|
|5C01947A49280CE98FB39D0B72311B47C47BC5CC||clean. exe||Win32/KillMBR. NHP||IsaacWiper.|
|172FBE91867C1D6B7F3E2899CEA69113BB1F21A0||notes. exe||WinGo/KillFiles. A||DesertBlade eraser.|
|46671348C1A61B3A8BFBA025E64E5549B7FDFA98||N/A||Win32/KillDisk. NCV||Hermetic Wipers.|
|DB0DA0D92D90657EA91C02336E0605E96DB92C05||clrs.exe||Win32/KillDisk. NCV||Hermetic Wipers.|
|320116162D78AFB8E00FD972591479A899D3DFEE||cpcrs.exe||MSIL/KillFiles. CK||DoubleZero eraser.|
|43B3D5FFAE55116C68C504339C5D953CA25C0E3F||csrss.exe||MSIL/KillFiles. CK||DoubleZero eraser.|
|48F54A1D93C912ADF36C79BB56018DEFF190A35C||ukcphone.exe||Win32/Agent. AECG||ArguePatch shell code loader.|
|6FA04992C0624C7AA3CA80DA6A30E6DE91226A16||peremoga.exe||Win32/Agent. AECG||ArguePatch shell code loader.|
|9CE1491CE69809F92AE1FE8D4C0783BD1D11FBE7||pa1. pay||Win32/KillDisk.NDA||Encrypted CaddyWiper shell code.|
|3CDBC19BC4F12D8D00B81380F7A2504D08074C15||wobf. sh||Linux/KillFiles. C||AwfulShred Linux remover.|
|8FC7646FA14667D07E3110FE754F61A78CFDE6BC||wsol. sh||Linux/KillFiles. B||SoloShred Solaris delete.|
|796362BD0304E305AD120576B6A8FB6721108752||eset_ssl_filtered_cert_importer.exe||Win32/Agent. AEGY||ArguePatch shell code loader.|
|8F3830CB2B93C21818FDBFCF526A027601277F9B||spn.exe||Win32/Agent. AEKA||ArguePatch shell code loader.|
|3D5C2E1B792F690FBCF05441DF179A3A48888618||mslrss.exe||Win32/Agent. AEKA||ArguePatch shell code loader.|
|57E3D0108636F6EE56C801F128306AD43AF60EE6||cmrss.exe||Win32/KillDisk. NCV||Hermetic Wipers.|
|986BA7A5714AD5B0DE0D040D1C066389BCB81A67||open. exe||Win32/Filecoder.Prestige.A||Prestige filecoder.|
|59621F5EFC311FDFE66683266CE9CB17F8227B23||mstc_niko. exe||Win32/DelAll. NAH||NikoWiper.|
|3D593A39FA20FED851B9BEFB4FF2D391B43BDF08||Sullivan. v2.5.exe||MSIL/Filecoder.RansomBoggs.A||Filecoder RansomBoggs.|
|7346E2E29FADDD63AE5C610C07ACAB46B2B1B176||help. exe||WinGo/KillFiles. C||SwiftSlicer Remover.|