Ukraine’s Computer Emergency Response Team (CERT-UA) discovered a cocktail of five different strains of data-erasing malware deployed on the network of the country’s national news agency (Ukrinform) on 17 January.
“As of January 27, 2023, 5 samples of malicious programs (scripts) have been detected, the functionality of which is aimed at violating the integrity and availability of information (writing files/disks with zero bytes/arbitrary data and their subsequent deletion), ” CERT-UA said (automatic translation from Ukrainian).
The list of destructive malware deployed in the attack on Ukrinform includes CaddyWiper (Windows), ZeroWipe (Windows), SDelete (Windows), AwfulShred (Linux), and BidSwipe (FreeBSD).
Two of the five strains, ZeroWipe and BidSwipe, are either new malware or are tracked by Ukrainians under different names than those used by anti-malware vendors.
The attackers launched the CaddyWiper malware using a Windows Group Policy (GPO), showing that they had previously penetrated the target’s network.
As CERT-UA discovered during the investigation, the threat actors gained remote access to Ukrinform’s network around December 7 and waited over a month to release the software cocktail. malicious.
However, their attempt to erase all data from the news agency’s systems failed. Wipers only managed to destroy files on “several data storage systems”, which did not impact Ukrinform’s operations.
“CERT-UA emphasizes that the cyberattack was only a partial success, especially with regard to a limited number of data storage systems,” the State Service for Special Communications and Protection said. of Information (SSSCIP) of Ukraine. added.
Cyber Attack Linked to Russian Military Sandworm Hackers
CERT-UA linked the attack to the threat group Sandworm last week, a hacking team part of Russian military unit 74455 of the Main Intelligence Directorate (GRU).
Sandworm also used the CaddyWiper data cleaner in another failed attack from April targeting a major Ukrainian energy supplier.
In this attack, the Russian hackers used a similar tactic, deploying CaddyWiper to erase the traces left by the Industroyer ICS malware, along with three other wipers designed for Linux and Solaris systems, and tracked as Orcshred, Soloshred and Awfulshred.
Since Russia invaded Ukraine in February 2022, several strains of data-wiping malware have been deployed on Ukrainian target networks in addition to CaddyWiper.