As war in Ukraine rages, new destructive malware continues to be discovered.
In a recent tweet, the Ukrainian Computer Emergency Response Team (CERT-UA) named five wipers used against Ukrinform, Ukraine’s national news agency. It suspects a link to the Sandworm group.
A wiper is a type of malware that erases the contents of the affected computer’s hard drive, without its user’s consent.
While it may seem trivial to code a data wiper, simply deleting files is a very sloppy method that is usually easy to reverse. Computers are very bad at “forgetting”, and deleting a file usually only removes the pointer to the file, not the file itself.
There are a great variety of obstacles that have to be overcome to get a data wiper to work effectively. Among them: The attacker has to get the wiper on to the target system; they have to bypass any security that will stop an attempt to remove data without proper authorization; they may have to get around protections on disk sectors like the master boot record (MBR); and they will want to make restoration from backups as hard as possible.
Effectively this takes a dropper, to get the payload on the target system; a method to gain persistence, so the attacker can start their malicious process at will; a method to avoid detection; elevated privileges; and a method to overrule the operating system’s restrictions.
For those interested in that kind of thing, last year we posted a detailed analysis of HermeticWiper, a wiper used against Ukraine in the very early stages of Russia’s invasion. The article is very technical but it gives you an idea of what it takes to create an effective data wiper. And we featured another blog that discussed IsaacWiper and CaddyWiper.
The Sandworm group, a Russian state-sponsored group of cybercriminals, has been known to target Ukrainian companies and government agencies. It is tought to be responsible for destroying entire Ukrainian networks, triggering blackouts by targeting electrical utilities with BlackEnergy malware, and releasing the infamous NotPetya malware in 2017. Not Petya is the name given to a later version of the Petya malware that began spreading rapidly, with infection sites focused in Ukraine, but from there it also spread across Europe and beyond.
At the request of Ukrinform, CERT-UA started an investigation into a cyberattack which took place on January 17, 2023. It found that the initial access had been established on December 7, 2022, so the threat actor waited over a month to initiate the final stage of the attack.
Based on the results of the investigation, CERT-UA says it is confident the attack was carried out by the UAC-0082 group, which is its name for the Sandworm group.
The team found 5 active wipers in the information and communication system of Ukrinform:
- CaddyWiper (Windows)
- ZeroWipe (Windows)
- SDelete (legitimate Windows utility)
- AwfulShred (Linux)
- BidSwipe (FreeBSD)
IOCs for these wipers can be found at the bottom of the article by CERT-UA.