A year of wiper strikes in Ukraine

This blog post presents a compiled overview of the annoying wiper attacks we’ve been observing in Ukraine since early 2022, shortly before the Russian military invasion began. We can attribute most of these attacks to Sandworm, with varying degrees of confidence. The compilation includes attacks seen by ESET, as well as some reported by other trusted sources such as CERT-UA, Microsoft, and SentinelOne.

Note: Estimated date (~) is used when the exact date of deployment is uncertain or unknown. In some cases, the discovery date or (in the case of non-ESET discovery) the attack publication date is used.

Pre-invasion

Among the many waves DDoS attack that had targeted Ukrainian institutions at the time, ie WhisperGate the malware hit on January 14th^th2022. Wiper masquerades as ransomware, echoing NotPetya from June 2017 – a tactic that will also be seen in later attacks.

On February 23^rd, 2022, a destructive campaign using HermeticWiper targeted hundreds of systems in at least five Ukrainian organizations. This data wipe was first spotted just before 17:00 local time (15:00 UTC): the cyber attack preceded, by only a few hours, the invasion of Ukraine by Russian Federation forces. Along with HermeticWiper, the HermeticWizard worm and HermeticRansom faux ransomware were also deployed in the campaign.

Invasion and spring tide

On February 24^th2022, with the winter melting in Ukraine, the second destructive attack on the network of the Ukrainian government begins, using an eraser we named IsaacWiper.

Also on the day of the invasion, that is Acid rain the wiper campaign targets Viasat KA-SAT modems, with spillovers also outside Ukraine.

Another eraser, originally disclosed by Microsoft, is DesertBladereportedly deployed on March 1^st2022 and again around March 17th^th2022. The same report also mentions attacks using wipers from the Hermetic campaign, namely HermeticWiper (Microsoft calls it FoxBlade) around March 10, 2022, HermeticRansom (Microsoft calls it SonicVote) around March 17^th2022, and the attacks around March 24th^th2022 uses HermeticWiper and HermeticRansom.

CERT-UA reports its findings about DoubleZero eraser on March 17th^th2022.

On March 14th^th2022, ESET researchers detect an attack using CaddyWipertargeting Ukrainian banks.

On April 1^st, 2022, we detect CaddyWiper again, this time loaded by the ArguePatch loader, which is usually a modified official binary used to load shell code from external files. We detected a similar scenario on May 16, 2022, where ArguePatch took shape modified ESET binary.

We also detected the ArguePatch-CaddyWiper tandem on April 8th^th, 2022, perhaps the Sandworm’s most ambitious attack since the invasion’s inception: their failed attempt to disrupt the flow of electricity using Industroyer2. Besides ArguePatch and CaddyWiper, in this incident, we also found wipers for non-Windows platforms: ORCSHRED, SOLOSHRED, and AWFULSHRED. For details, see notification by CERT-UAand our WeLiveSecurity blog post.

Summers are quieter

The summer months saw fewer new wipeout campaign discoveries in Ukraine than in previous months, but some notable attacks did occur.

We have worked closely with CERT-UA on the case of implementing ArguePatch (and CaddyWiper) against Ukrainian institutions. The first incident occurred within a week of June 20^th2022, and another on June 23^rd2022.

Autumn waves

With temperatures dropping in preparation for the northern winter, on Oct. 3^rd, 2022 we detected a new version of CaddyWiper applied in Ukraine. Unlike the previously used variants, this time CaddyWiper is compiled as a Windows x64 binary.

On October 5th^th, 2022, we identified a new version of HermeticWiper that has been uploaded to VirusTotal. The functionality of this HermeticWiper sample is the same as the previous example, with a few minor changes.

On October 11^th, 2022, we detected Prestige ransomware used against logistics companies in Ukraine and Poland. This campaign too reported by Microsoft.

On the same day, we also identified a previously unknown eraser, which we named NikoWiper. These wipers were used against companies in the energy sector in Ukraine. NikoWiper is based on SDelete Microsoft command line utility for securely deleting files.

On November 11th^th2022, CERT-UA published a blog post about the attack using the fake Somnia ransomware.

On November 21^st2022, we detected in Ukraine a new ransomware written in .NET which we named RansomBoggs. The ransomware has many references to the movie Monsters, Inc. We observed that malware operators use POWERGAP scripts to use this filecoder.

January 2023

In 2023, disturbing attacks on Ukrainian institutions continue.

On January 1^st2023, we detected an execution SDelete utility in the Ukrainian software retailer.

Another attack using multiple wipers, this time against a Ukrainian news agency, occurred on 17 January^th2023, according to CERT-UA. The following wipers were detected in this attack: CaddyWiper, ZeroWipe, SDelete, AwfulShred, and BidSwipe. BidSwipe is noteworthy, as it is a FreeBSD OS wiper.

On January 25th^th2023, we detected a new eraser, written in Go and we named it SwiftSlicerdeployed against Ukrainian local government entities.

In almost all of the cases mentioned above, Sandworm uses Active Directory Group Policy (T1484.001) to spread wipers and ransomware, specifically using the POWERGAP script.

Conclusion

The use of disruptive wipers – and even wipers disguised as ransomware – by Russian APT groups, notably Sandworm, against Ukrainian organizations is nothing new. Since circa 2014, BlackEnergy has been using annoying plugins; the KillDisk wiper was a common denominator in past Sandworm attacks; and the Telebots subgroup has launched many wipe-out attacks, the most famous of which is NotPetya.

But the intensification of the wipeout campaign since the military invasion in February 2022 is unprecedented. On a positive note, many attacks have been detected and thwarted. However, we continue to monitor the situation vigilantly, as we expect the attacks to continue.

IoC

files