A yr of wiper assaults in Ukraine
ESET Analysis has compiled a timeline of cyberattacks that used wiper malware and have occurred since Russia’s invasion of Ukraine in 2022
This blogpost presents a compiled overview of the disruptive wiper assaults that we have now noticed in Ukraine for the reason that starting of 2022, shortly earlier than the Russian army invasion began. We have been capable of attribute nearly all of these assaults to Sandworm, with various levels of confidence. The compilation contains assaults seen by ESET, in addition to some reported by different respected sources like CERT-UA, Microsoft, and SentinelOne.
Be aware: Approximate dates (~) are used when the precise date of deployment in unsure or unknown. In some instances, the date of discovery or (within the case of non-ESET discoveries) the date of publication of the assault is used.
Pre-invasion
Amongst quite a few waves of DDoS attacks that had been concentrating on Ukrainian establishments on the time, the WhisperGate malware struck on January 14th, 2022. The wiper masqueraded as ransomware, echoing NotPetya from June 2017 – a tactic that will even be seen in later assaults.
On February 23rd, 2022, a damaging marketing campaign utilizing HermeticWiper focused a whole lot of programs in no less than 5 Ukrainian organizations. This information wiper was first noticed simply earlier than 17:00 native time (15:00 UTC): the cyberattack preceded, by just a few hours, the invasion of Ukraine by Russian Federation forces. Alongside HermeticWiper, the HermeticWizard worm and HermeticRansom fake ransomware have been additionally deployed within the marketing campaign.
Invasion and spring wave
On February 24th, 2022, with the Ukrainian winter thawing away, a second damaging assault towards a Ukrainian governmental community began, utilizing a wiper we have now named IsaacWiper.
Additionally on the day of the invasion, the AcidRain wiper marketing campaign focused Viasat KA-SAT modems, with spillover outdoors of Ukraine as effectively.
One other wiper, initially disclosed by Microsoft, is DesertBlade, reportedly deployed on March 1st, 2022 and once more round March 17th, 2022. The identical report additionally mentions assaults utilizing wipers from the Airtight marketing campaign, specifically HermeticWiper (Microsoft calls it FoxBlade) round March tenth, 2022, HermeticRansom (Microsoft calls it SonicVote) round March 17th, 2022, and an assault round March 24th, 2022 utilizing each HermeticWiper and HermeticRansom.
CERT-UA reported on its discovery of the DoubleZero wiper on March 17th, 2022.
On March 14th, 2022, ESET researchers detected an assault utilizing CaddyWiper, which focused a Ukrainian financial institution.
On April 1st, 2022, we detected CaddyWiper once more, this time being loaded by the ArguePatch loader, which is often a modified, professional binary that’s used to load shellcode from an exterior file. We detected the same state of affairs on Might sixteenth, 2022, the place ArguePatch took the type of a modified ESET binary.
We additionally detected the ArguePatch-CaddyWiper tandem on April 8th, 2022, in maybe essentially the most bold Sandworm assaults for the reason that starting of the invasion: their unsuccessful try and disrupt the circulation of electrical energy utilizing Industroyer2. Along with ArguePatch and CaddyWiper, on this incident, we additionally found wipers for non-Home windows platforms: ORCSHRED, SOLOSHRED, and AWFULSHRED. For particulars, see the notification by CERT-UA, and our WeLiveSecurity blogpost.
A quieter summer season
The summer season months noticed fewer discoveries of latest wiper campaigns in Ukraine as in comparison with the earlier months, but a number of notable assaults did happen.
We have now labored along with CERT-UA on instances of ArguePatch (and CaddyWiper) deployments towards Ukrainian establishments. The primary incident came about within the week beginning June 20th, 2022, and one other on June 23rd, 2022.
Autumn wave
With temperatures dropping in preparation for the northern winter, on October 3rd, 2022 we detected a brand new model of CaddyWiper deployed in Ukraine. Not like the beforehand used variants, this time CaddyWiper was compiled as an x64 Home windows binary.
On October 5th, 2022, we recognized a brand new model of HermeticWiper that had been uploaded to VirusTotal. The performance of this HermeticWiper pattern was the identical as within the earlier situations, with a number of minor adjustments.
On October 11th, 2022, we detected Status ransomware being deployed towards logistics corporations in Ukraine and Poland. This marketing campaign was additionally reported by Microsoft.
On the identical day, we additionally recognized a beforehand unknown wiper, which we named NikoWiper. This wiper was used towards an organization within the vitality sector in Ukraine. NikoWiper relies on the SDelete Microsoft command line utility for securely deleting recordsdata.
On November 11th, 2022, CERT-UA published a blogpost about an assault utilizing the Somnia fake ransomware.
On November 21st, 2022, we detected in Ukraine new ransomware written in .NET that we named RansomBoggs. The ransomware has a number of references to the film Monsters, Inc. We noticed that the malware operators used POWERGAP scripts to deploy this filecoder.
January 2023
In 2023 the disruptive assaults towards Ukrainian establishments proceed.
On January 1st, 2023, we detected execution of the SDelete utility at a Ukrainian software program reseller.
One other assault utilizing a number of wipers, this time towards a Ukrainian information company, came about on January 17th, 2023, according to CERT-UA. The next wipers have been detected on this assault: CaddyWiper, ZeroWipe, SDelete, AwfulShred, and BidSwipe. BidSwipe is noteworthy, as it’s a FreeBSD OS wiper.
On January 25th, 2023, we detected a brand new wiper, written in Go and that we named SwiftSlicer, being deployed towards Ukrainian native authorities entities.
In virtually all of the above-mentioned instances, Sandworm used Energetic Listing Group Coverage (T1484.001) to deploy its wipers and ransomware, particularly utilizing the POWERGAP script.
Conclusion
Using disruptive wipers – and even wipers masquerading as ransomware – by Russian APT teams, particularly Sandworm, towards Ukrainian organizations is hardly new. Since round 2014, BlackEnergy employed disruptive plugins; the KillDisk wiper was a typical denominator in Sandworm assaults previously; and the Telebots subgroup has launched quite a few wiper assaults, most infamously NotPetya.
But the intensification of wiper campaigns for the reason that army invasion in February 2022 has been unprecedented. On a optimistic notice, most of the assaults have been detected and thwarted. Nonetheless, we proceed to watch the state of affairs vigilantly, as we anticipate the assaults to proceed.
ESET Analysis additionally presents non-public APT intelligence studies and information feeds. For any inquiries about this service, go to the ESET Threat Intelligence web page
IoCs
Information
| SHA-1 | Filename | ESET detection identify | Description |
|---|---|---|---|
| 189166D382C73C242BA45889D57980548D4BA37E | stage1.exe | Win32/KillMBR.NGI | WhisperGate stage 1 MBR overwriter. |
| A67205DC84EC29EB71BB259B19C1A1783865C0FC | N/A | Win32/KillFiles.NKU | WhisperGate stage 2 remaining payload. |
| 912342F1C840A42F6B74132F8A7C4FFE7D40FB77 | com.exe | Win32/KillDisk.NCV | HermeticWiper. |
| 61B25D11392172E587D8DA3045812A66C3385451 | conhosts.exe | Win32/KillDisk.NCV | HermeticWiper. |
| F32D791EC9E6385A91B45942C230F52AFF1626DF | cc2.exe | WinGo/Filecoder.BK | HermeticRansom. |
| 86906B140B019FDEDAABA73948D0C8F96A6B1B42 | ukrop | Linux/AcidRain.A | AcidRain. |
| AD602039C6F0237D4A997D5640E92CE5E2B3BBA3 | cl64.dll | Win32/KillMBR.NHP | IsaacWiper. |
| 736A4CFAD1ED83A6A0B75B0474D5E01A3A36F950 | cld.dll | Win32/KillMBR.NHQ | IsaacWiper. |
| E9B96E9B86FAD28D950CA428879168E0894D854F | clear.exe | Win32/KillMBR.NHP | IsaacWiper. |
| 5C01947A49280CE98FB39D0B72311B47C47BC5CC | clear.exe | Win32/KillMBR.NHP | IsaacWiper. |
| 59F5B9AECE751E58BE16E7F7A7A6D8C044F583BE | cll.exe | Win32/KillMBR.NHQ | IsaacWiper. |
| 172FBE91867C1D6B7F3E2899CEA69113BB1F21A0 | notes.exe | WinGo/KillFiles.A | DesertBlade wiper. |
| 46671348C1A61B3A8BFBA025E64E5549B7FDFA98 | N/A | Win32/KillDisk.NCV | HermeticWiper. |
| DB0DA0D92D90657EA91C02336E0605E96DB92C05 | clrs.exe | Win32/KillDisk.NCV | HermeticWiper. |
| 98B3FB74B3E8B3F9B05A82473551C5A77B576D54 | caddy.exe | Win32/KillDisk.NCX | CaddyWiper. |
| 320116162D78AFB8E00FD972591479A899D3DFEE | cpcrs.exe | MSIL/KillFiles.CK | DoubleZero wiper. |
| 43B3D5FFAE55116C68C504339C5D953CA25C0E3F | csrss.exe | MSIL/KillFiles.CK | DoubleZero wiper. |
| 48F54A1D93C912ADF36C79BB56018DEFF190A35C | ukcphone.exe | Win32/Agent.AECG | ArguePatch shellcode loader. |
| 6FA04992C0624C7AA3CA80DA6A30E6DE91226A16 | peremoga.exe | Win32/Agent.AECG | ArguePatch shellcode loader. |
| 9CE1491CE69809F92AE1FE8D4C0783BD1D11FBE7 | pa1.pay | Win32/KillDisk.NDA | Encrypted CaddyWiper shellcode. |
| 3CDBC19BC4F12D8D00B81380F7A2504D08074C15 | wobf.sh | Linux/KillFiles.C | AwfulShred Linux wiper. |
| 8FC7646FA14667D07E3110FE754F61A78CFDE6BC | wsol.sh | Linux/KillFiles.B | SoloShred Solaris wipe. |
| 796362BD0304E305AD120576B6A8FB6721108752 | eset_ssl_filtered_cert_importer.exe | Win32/Agent.AEGY | ArguePatch shellcode loader. |
| 8F3830CB2B93C21818FDBFCF526A027601277F9B | spn.exe | Win32/Agent.AEKA | ArguePatch shellcode loader. |
| 3D5C2E1B792F690FBCF05441DF179A3A48888618 | mslrss.exe | Win32/Agent.AEKA | ArguePatch shellcode loader. |
| EB437FF79E639742EE36E89F30C6A21072B86CBC | caclcly.exe | Win64/Agent.BQZ | CaddyWiper x64. |
| 57E3D0108636F6EE56C801F128306AD43AF60EE6 | cmrss.exe | Win32/KillDisk.NCV | HermeticWiper. |
| 986BA7A5714AD5B0DE0D040D1C066389BCB81A67 | open.exe | Win32/Filecoder.Status.A | Status filecoder. |
| C7186DEF5E9C3E1B01BF506F538F5D6185377A9C | sysate32.exe | Win32/Filecoder.Status.A | Status filecoder. |
| 59621F5EFC311FDFE66683266CE9CB17F8227B23 | mstc_niko.exe | Win32/DelAll.NAH | NikoWiper. |
| 84E6A010B372D845C723A8B8D7DDD8D79675DCE5 | Sullivan.1.v2.0.exe | MSIL/Filecoder.RansomBoggs.A | RansomBoggs filecoder. |
| F4D1C047923B9D10031BB709AABF1A250AB0AAA2 | Sullivan.1.v4.5.exe | MSIL/Filecoder.RansomBoggs.A | RansomBoggs filecoder. |
| 9A3D63C6E127243B3036BC0E242789EC1D2AB171 | Sullivan.2.v2.exe | MSIL/Filecoder.RansomBoggs.A | RansomBoggs filecoder. |
| BB187EB125070176BD7EC6C57CFF166708DD60E1 | Sullivan.2.v4.exe | MSIL/Filecoder.RansomBoggs.A | RansomBoggs filecoder. |
| 3D593A39FA20FED851B9BEFB4FF2D391B43BDF08 | Sullivan.v2.5.exe | MSIL/Filecoder.RansomBoggs.A | RansomBoggs filecoder. |
| 021308C361C8DE7C38EF135BC3B53439EB4DA0B4 | Sullivan.v4.5.exe | MSIL/Filecoder.RansomBoggs.A | RansomBoggs filecoder. |
| 7346E2E29FADDD63AE5C610C07ACAB46B2B1B176 | assist.exe | WinGo/KillFiles.C | SwiftSlicer wiper. |
