ESET Analysis has compiled a timeline of cyberattacks that used wiper malware and have occurred since Russia’s invasion of Ukraine in 2022
This blogpost presents a compiled overview of the disruptive wiper assaults that we now have noticed in Ukraine because the starting of 2022, shortly earlier than the Russian army invasion began. We had been capable of attribute nearly all of these assaults to Sandworm, with various levels of confidence. The compilation consists of assaults seen by ESET, in addition to some reported by different respected sources like CERT-UA, Microsoft, and SentinelOne.
Word: Approximate dates (~) are used when the precise date of deployment in unsure or unknown. In some circumstances, the date of discovery or (within the case of non-ESET discoveries) the date of publication of the assault is used.
Pre-invasion
Amongst quite a few waves of DDoS attacks that had been focusing on Ukrainian establishments on the time, the WhisperGate malware struck on January 14th, 2022. The wiper masqueraded as ransomware, echoing NotPetya from June 2017 – a tactic that might even be seen in later assaults.
On February 23rd, 2022, a harmful marketing campaign utilizing HermeticWiper focused lots of of programs in a minimum of 5 Ukrainian organizations. This knowledge wiper was first noticed simply earlier than 17:00 native time (15:00 UTC): the cyberattack preceded, by just a few hours, the invasion of Ukraine by Russian Federation forces. Alongside HermeticWiper, the HermeticWizard worm and HermeticRansom fake ransomware had been additionally deployed within the marketing campaign.
Invasion and spring wave
On February 24th, 2022, with the Ukrainian winter thawing away, a second harmful assault in opposition to a Ukrainian governmental community began, utilizing a wiper we now have named IsaacWiper.
Additionally on the day of the invasion, the AcidRain wiper marketing campaign focused Viasat KA-SAT modems, with spillover outdoors of Ukraine as properly.
One other wiper, initially disclosed by Microsoft, is DesertBlade, reportedly deployed on March 1st, 2022 and once more round March 17th, 2022. The identical report additionally mentions assaults utilizing wipers from the Airtight marketing campaign, specifically HermeticWiper (Microsoft calls it FoxBlade) round March tenth, 2022, HermeticRansom (Microsoft calls it SonicVote) round March 17th, 2022, and an assault round March 24th, 2022 utilizing each HermeticWiper and HermeticRansom.
CERT-UA reported on its discovery of the DoubleZero wiper on March 17th, 2022.
On March 14th, 2022, ESET researchers detected an assault utilizing CaddyWiper, which focused a Ukrainian financial institution.
On April 1st, 2022, we detected CaddyWiper once more, this time being loaded by the ArguePatch loader, which is usually a modified, reliable binary that’s used to load shellcode from an exterior file. We detected an identical state of affairs on Might sixteenth, 2022, the place ArguePatch took the type of a modified ESET binary.
We additionally detected the ArguePatch-CaddyWiper tandem on April 8th, 2022, in maybe probably the most formidable Sandworm assaults because the starting of the invasion: their unsuccessful try to disrupt the stream of electrical energy utilizing Industroyer2. Along with ArguePatch and CaddyWiper, on this incident, we additionally found wipers for non-Home windows platforms: ORCSHRED, SOLOSHRED, and AWFULSHRED. For particulars, see the notification by CERT-UA, and our WeLiveSecurity blogpost.
A quieter summer season
The summer season months noticed fewer discoveries of recent wiper campaigns in Ukraine as in comparison with the earlier months, but a number of notable assaults did happen.
We’ve got labored along with CERT-UA on circumstances of ArguePatch (and CaddyWiper) deployments in opposition to Ukrainian establishments. The primary incident happened within the week beginning June 20th, 2022, and one other on June 23rd, 2022.
Autumn wave
With temperatures dropping in preparation for the northern winter, on October 3rd, 2022 we detected a brand new model of CaddyWiper deployed in Ukraine. Not like the beforehand used variants, this time CaddyWiper was compiled as an x64 Home windows binary.
On October 5th, 2022, we recognized a brand new model of HermeticWiper that had been uploaded to VirusTotal. The performance of this HermeticWiper pattern was the identical as within the earlier cases, with a number of minor modifications.
On October 11th, 2022, we detected Status ransomware being deployed in opposition to logistics corporations in Ukraine and Poland. This marketing campaign was additionally reported by Microsoft.
On the identical day, we additionally recognized a beforehand unknown wiper, which we named NikoWiper. This wiper was used in opposition to an organization within the power sector in Ukraine. NikoWiper relies on the SDelete Microsoft command line utility for securely deleting information.
On November 11th, 2022, CERT-UA published a blogpost about an assault utilizing the Somnia fake ransomware.
On November 21st, 2022, we detected in Ukraine new ransomware written in .NET that we named RansomBoggs. The ransomware has a number of references to the film Monsters, Inc. We noticed that the malware operators used POWERGAP scripts to deploy this filecoder.
January 2023
In 2023 the disruptive assaults in opposition to Ukrainian establishments proceed.
On January 1st, 2023, we detected execution of the SDelete utility at a Ukrainian software program reseller.
One other assault utilizing a number of wipers, this time in opposition to a Ukrainian information company, happened on January 17th, 2023, according to CERT-UA. The next wipers had been detected on this assault: CaddyWiper, ZeroWipe, SDelete, AwfulShred, and BidSwipe. BidSwipe is noteworthy, as it’s a FreeBSD OS wiper.
On January 25th, 2023, we detected a brand new wiper, written in Go and that we named SwiftSlicer, being deployed in opposition to Ukrainian native authorities entities.
In nearly all of the above-mentioned circumstances, Sandworm used Lively Listing Group Coverage (T1484.001) to deploy its wipers and ransomware, particularly utilizing the POWERGAP script.
Conclusion
The usage of disruptive wipers – and even wipers masquerading as ransomware – by Russian APT teams, particularly Sandworm, in opposition to Ukrainian organizations is hardly new. Since round 2014, BlackEnergy employed disruptive plugins; the KillDisk wiper was a typical denominator in Sandworm assaults prior to now; and the Telebots subgroup has launched quite a few wiper assaults, most infamously NotPetya.
But the intensification of wiper campaigns because the army invasion in February 2022 has been unprecedented. On a optimistic observe, most of the assaults have been detected and thwarted. Nonetheless, we proceed to observe the scenario vigilantly, as we anticipate the assaults to proceed.
ESET Analysis additionally affords non-public APT intelligence reviews and knowledge feeds. For any inquiries about this service, go to the ESET Threat Intelligence web page
IoCs
Information
| SHA-1 | Filename | ESET detection title | Description |
|---|---|---|---|
| 189166D382C73C242BA45889D57980548D4BA37E | stage1.exe | Win32/KillMBR.NGI | WhisperGate stage 1 MBR overwriter. |
| A67205DC84EC29EB71BB259B19C1A1783865C0FC | N/A | Win32/KillFiles.NKU | WhisperGate stage 2 last payload. |
| 912342F1C840A42F6B74132F8A7C4FFE7D40FB77 | com.exe | Win32/KillDisk.NCV | HermeticWiper. |
| 61B25D11392172E587D8DA3045812A66C3385451 | conhosts.exe | Win32/KillDisk.NCV | HermeticWiper. |
| F32D791EC9E6385A91B45942C230F52AFF1626DF | cc2.exe | WinGo/Filecoder.BK | HermeticRansom. |
| 86906B140B019FDEDAABA73948D0C8F96A6B1B42 | ukrop | Linux/AcidRain.A | AcidRain. |
| AD602039C6F0237D4A997D5640E92CE5E2B3BBA3 | cl64.dll | Win32/KillMBR.NHP | IsaacWiper. |
| 736A4CFAD1ED83A6A0B75B0474D5E01A3A36F950 | cld.dll | Win32/KillMBR.NHQ | IsaacWiper. |
| E9B96E9B86FAD28D950CA428879168E0894D854F | clear.exe | Win32/KillMBR.NHP | IsaacWiper. |
| 5C01947A49280CE98FB39D0B72311B47C47BC5CC | clear.exe | Win32/KillMBR.NHP | IsaacWiper. |
| 59F5B9AECE751E58BE16E7F7A7A6D8C044F583BE | cll.exe | Win32/KillMBR.NHQ | IsaacWiper. |
| 172FBE91867C1D6B7F3E2899CEA69113BB1F21A0 | notes.exe | WinGo/KillFiles.A | DesertBlade wiper. |
| 46671348C1A61B3A8BFBA025E64E5549B7FDFA98 | N/A | Win32/KillDisk.NCV | HermeticWiper. |
| DB0DA0D92D90657EA91C02336E0605E96DB92C05 | clrs.exe | Win32/KillDisk.NCV | HermeticWiper. |
| 98B3FB74B3E8B3F9B05A82473551C5A77B576D54 | caddy.exe | Win32/KillDisk.NCX | CaddyWiper. |
| 320116162D78AFB8E00FD972591479A899D3DFEE | cpcrs.exe | MSIL/KillFiles.CK | DoubleZero wiper. |
| 43B3D5FFAE55116C68C504339C5D953CA25C0E3F | csrss.exe | MSIL/KillFiles.CK | DoubleZero wiper. |
| 48F54A1D93C912ADF36C79BB56018DEFF190A35C | ukcphone.exe | Win32/Agent.AECG | ArguePatch shellcode loader. |
| 6FA04992C0624C7AA3CA80DA6A30E6DE91226A16 | peremoga.exe | Win32/Agent.AECG | ArguePatch shellcode loader. |
| 9CE1491CE69809F92AE1FE8D4C0783BD1D11FBE7 | pa1.pay | Win32/KillDisk.NDA | Encrypted CaddyWiper shellcode. |
| 3CDBC19BC4F12D8D00B81380F7A2504D08074C15 | wobf.sh | Linux/KillFiles.C | AwfulShred Linux wiper. |
| 8FC7646FA14667D07E3110FE754F61A78CFDE6BC | wsol.sh | Linux/KillFiles.B | SoloShred Solaris wipe. |
| 796362BD0304E305AD120576B6A8FB6721108752 | eset_ssl_filtered_cert_importer.exe | Win32/Agent.AEGY | ArguePatch shellcode loader. |
| 8F3830CB2B93C21818FDBFCF526A027601277F9B | spn.exe | Win32/Agent.AEKA | ArguePatch shellcode loader. |
| 3D5C2E1B792F690FBCF05441DF179A3A48888618 | mslrss.exe | Win32/Agent.AEKA | ArguePatch shellcode loader. |
| EB437FF79E639742EE36E89F30C6A21072B86CBC | caclcly.exe | Win64/Agent.BQZ | CaddyWiper x64. |
| 57E3D0108636F6EE56C801F128306AD43AF60EE6 | cmrss.exe | Win32/KillDisk.NCV | HermeticWiper. |
| 986BA7A5714AD5B0DE0D040D1C066389BCB81A67 | open.exe | Win32/Filecoder.Status.A | Status filecoder. |
| C7186DEF5E9C3E1B01BF506F538F5D6185377A9C | sysate32.exe | Win32/Filecoder.Status.A | Status filecoder. |
| 59621F5EFC311FDFE66683266CE9CB17F8227B23 | mstc_niko.exe | Win32/DelAll.NAH | NikoWiper. |
| 84E6A010B372D845C723A8B8D7DDD8D79675DCE5 | Sullivan.1.v2.0.exe | MSIL/Filecoder.RansomBoggs.A | RansomBoggs filecoder. |
| F4D1C047923B9D10031BB709AABF1A250AB0AAA2 | Sullivan.1.v4.5.exe | MSIL/Filecoder.RansomBoggs.A | RansomBoggs filecoder. |
| 9A3D63C6E127243B3036BC0E242789EC1D2AB171 | Sullivan.2.v2.exe | MSIL/Filecoder.RansomBoggs.A | RansomBoggs filecoder. |
| BB187EB125070176BD7EC6C57CFF166708DD60E1 | Sullivan.2.v4.exe | MSIL/Filecoder.RansomBoggs.A | RansomBoggs filecoder. |
| 3D593A39FA20FED851B9BEFB4FF2D391B43BDF08 | Sullivan.v2.5.exe | MSIL/Filecoder.RansomBoggs.A | RansomBoggs filecoder. |
| 021308C361C8DE7C38EF135BC3B53439EB4DA0B4 | Sullivan.v4.5.exe | MSIL/Filecoder.RansomBoggs.A | RansomBoggs filecoder. |
| 7346E2E29FADDD63AE5C610C07ACAB46B2B1B176 | assist.exe | WinGo/KillFiles.C | SwiftSlicer wiper. |
