February 23, 2024

ESET Analysis has compiled a timeline of cyberattacks that used wiper malware and have occurred since Russia’s invasion of Ukraine in 2022

This blogpost presents a compiled overview of the disruptive wiper assaults that we have now noticed in Ukraine because the starting of 2022, shortly earlier than the Russian army invasion began. We had been in a position to attribute nearly all of these assaults to Sandworm, with various levels of confidence. The compilation contains assaults seen by ESET, in addition to some reported by different respected sources like CERT-UA, Microsoft, and SentinelOne.

ESET Research Destructive malware targeting Ukrainian organizations IsaacWiper and HermeticWizard: New wiper and worm targeting Ukraine AcidRain | A Modem Wiper Rains Down on Europe IsaacWiper and HermeticWizard: New wiper and worm targeting Ukraine An overview of Russia’s cyberattack activity in Ukraine An overview of Russia’s cyberattack activity in Ukraine ESET Research CERT-UA An overview of Russia’s cyberattack activity in Ukraine An overview of Russia’s cyberattack activity in Ukraine An overview of Russia’s cyberattack activity in Ukraine ESET APT ACTIVITY REPORT T2 2022 Industroyer2: Industroyer reloaded CERT-UA ESET Research ESET Research ESET APT ACTIVITY REPORT T2 2022 ESET APT ACTIVITY REPORT T3 2022 ESET APT ACTIVITY REPORT T3 2022 ESET APT ACTIVITY REPORT T3 2022 New “Prestige” ransomware impacts organizations in Ukraine and Poland ESET APT ACTIVITY REPORT T3 2022 CERT-UA RansomBoggs: New ransomware targeting Ukraine CERT-UA SwiftSlicer: New destructive wiper malware strikes Ukraine

Be aware: Approximate dates (~) are used when the precise date of deployment in unsure or unknown. In some instances, the date of discovery or (within the case of non-ESET discoveries) the date of publication of the assault is used.

Pre-invasion

Amongst quite a few waves of DDoS attacks that had been focusing on Ukrainian establishments on the time, the WhisperGate malware struck on January 14th, 2022. The wiper masqueraded as ransomware, echoing NotPetya from June 2017 – a tactic that will even be seen in later assaults.

On February 23rd, 2022, a damaging marketing campaign utilizing HermeticWiper focused a whole lot of techniques in not less than 5 Ukrainian organizations. This knowledge wiper was first noticed simply earlier than 17:00 native time (15:00 UTC): the cyberattack preceded, by only some hours, the invasion of Ukraine by Russian Federation forces. Alongside HermeticWiper, the HermeticWizard worm and HermeticRansom fake ransomware had been additionally deployed within the marketing campaign.

Invasion and spring wave

On February 24th, 2022, with the Ukrainian winter thawing away, a second damaging assault towards a Ukrainian governmental community began, utilizing a wiper we have now named IsaacWiper.

Additionally on the day of the invasion, the AcidRain wiper marketing campaign focused Viasat KA-SAT modems, with spillover exterior of Ukraine as properly.

One other wiper, initially disclosed by Microsoft, is DesertBlade, reportedly deployed on March 1st, 2022 and once more round March 17th, 2022. The identical report additionally mentions assaults utilizing wipers from the Airtight marketing campaign, specifically HermeticWiper (Microsoft calls it FoxBlade) round March tenth, 2022, HermeticRansom (Microsoft calls it SonicVote) round March 17th, 2022, and an assault round March 24th, 2022 utilizing each HermeticWiper and HermeticRansom.

CERT-UA reported on its discovery of the DoubleZero wiper on March 17th, 2022.

On March 14th, 2022, ESET researchers detected an assault utilizing CaddyWiper, which focused a Ukrainian financial institution.

On April 1st, 2022, we detected CaddyWiper once more, this time being loaded by the ArguePatch loader, which is often a modified, official binary that’s used to load shellcode from an exterior file. We detected the same situation on Might sixteenth, 2022, the place ArguePatch took the type of a modified ESET binary.

We additionally detected the ArguePatch-CaddyWiper tandem on April 8th, 2022, in maybe probably the most formidable Sandworm assaults because the starting of the invasion: their unsuccessful try to disrupt the circulation of electrical energy utilizing Industroyer2. Along with ArguePatch and CaddyWiper, on this incident, we additionally found wipers for non-Home windows platforms: ORCSHRED, SOLOSHRED, and AWFULSHRED. For particulars, see the notification by CERT-UA, and our WeLiveSecurity blogpost.

A quieter summer season

The summer season months noticed fewer discoveries of latest wiper campaigns in Ukraine as in comparison with the earlier months, but a number of notable assaults did happen.

We now have labored along with CERT-UA on instances of ArguePatch (and CaddyWiper) deployments towards Ukrainian establishments. The primary incident passed off within the week beginning June 20th, 2022, and one other on June 23rd, 2022.

Autumn wave

With temperatures dropping in preparation for the northern winter, on October 3rd, 2022 we detected a brand new model of CaddyWiper deployed in Ukraine. Not like the beforehand used variants, this time CaddyWiper was compiled as an x64 Home windows binary.

On October 5th, 2022, we recognized a brand new model of HermeticWiper that had been uploaded to VirusTotal. The performance of this HermeticWiper pattern was the identical as within the earlier situations, with a couple of minor modifications.

On October 11th, 2022, we detected Status ransomware being deployed towards logistics firms in Ukraine and Poland. This marketing campaign was additionally reported by Microsoft.

On the identical day, we additionally recognized a beforehand unknown wiper, which we named NikoWiper. This wiper was used towards an organization within the power sector in Ukraine. NikoWiper is predicated on the SDelete Microsoft command line utility for securely deleting information.

On November 11th, 2022, CERT-UA published a blogpost about an assault utilizing the Somnia fake ransomware.

On November 21st, 2022, we detected in Ukraine new ransomware written in .NET that we named RansomBoggs. The ransomware has a number of references to the film Monsters, Inc. We noticed that the malware operators used POWERGAP scripts to deploy this filecoder.

January 2023

In 2023 the disruptive assaults towards Ukrainian establishments proceed.

On January 1st, 2023, we detected execution of the SDelete utility at a Ukrainian software program reseller.

One other assault utilizing a number of wipers, this time towards a Ukrainian information company, passed off on January 17th, 2023, according to CERT-UA. The next wipers had been detected on this assault: CaddyWiper, ZeroWipe, SDelete, AwfulShred, and BidSwipe. BidSwipe is noteworthy, as it’s a FreeBSD OS wiper.

On January 25th, 2023, we detected a brand new wiper, written in Go and that we named SwiftSlicer, being deployed towards Ukrainian native authorities entities.

In nearly all of the above-mentioned instances, Sandworm used Energetic Listing Group Coverage (T1484.001) to deploy its wipers and ransomware, particularly utilizing the POWERGAP script.

Conclusion

Using disruptive wipers – and even wipers masquerading as ransomware – by Russian APT teams, particularly Sandworm, towards Ukrainian organizations is hardly new. Since round 2014, BlackEnergy employed disruptive plugins; the KillDisk wiper was a standard denominator in Sandworm assaults up to now; and the Telebots subgroup has launched quite a few wiper assaults, most infamously NotPetya.

But the intensification of wiper campaigns because the army invasion in February 2022 has been unprecedented. On a optimistic notice, most of the assaults have been detected and thwarted. Nevertheless, we proceed to watch the scenario vigilantly, as we anticipate the assaults to proceed.

For any inquiries about our analysis printed on WeLiveSecurity, please contact us at [email protected].

ESET Analysis additionally gives non-public APT intelligence stories and knowledge feeds. For any inquiries about this service, go to the ESET Threat Intelligence web page 

IoCs

Information

SHA-1 Filename ESET detection identify Description
189166D382C73C242BA45889D57980548D4BA37E stage1.exe Win32/KillMBR.NGI WhisperGate stage 1 MBR overwriter.
A67205DC84EC29EB71BB259B19C1A1783865C0FC N/A Win32/KillFiles.NKU WhisperGate stage 2 ultimate payload.
912342F1C840A42F6B74132F8A7C4FFE7D40FB77 com.exe Win32/KillDisk.NCV HermeticWiper.
61B25D11392172E587D8DA3045812A66C3385451 conhosts.exe Win32/KillDisk.NCV HermeticWiper.
F32D791EC9E6385A91B45942C230F52AFF1626DF cc2.exe WinGo/Filecoder.BK HermeticRansom.
86906B140B019FDEDAABA73948D0C8F96A6B1B42 ukrop Linux/AcidRain.A AcidRain.
AD602039C6F0237D4A997D5640E92CE5E2B3BBA3 cl64.dll Win32/KillMBR.NHP IsaacWiper.
736A4CFAD1ED83A6A0B75B0474D5E01A3A36F950 cld.dll Win32/KillMBR.NHQ IsaacWiper.
E9B96E9B86FAD28D950CA428879168E0894D854F clear.exe Win32/KillMBR.NHP IsaacWiper.
5C01947A49280CE98FB39D0B72311B47C47BC5CC clear.exe Win32/KillMBR.NHP IsaacWiper.
59F5B9AECE751E58BE16E7F7A7A6D8C044F583BE cll.exe Win32/KillMBR.NHQ IsaacWiper.
172FBE91867C1D6B7F3E2899CEA69113BB1F21A0 notes.exe WinGo/KillFiles.A DesertBlade wiper.
46671348C1A61B3A8BFBA025E64E5549B7FDFA98 N/A Win32/KillDisk.NCV HermeticWiper.
DB0DA0D92D90657EA91C02336E0605E96DB92C05 clrs.exe Win32/KillDisk.NCV HermeticWiper.
98B3FB74B3E8B3F9B05A82473551C5A77B576D54 caddy.exe Win32/KillDisk.NCX CaddyWiper.
320116162D78AFB8E00FD972591479A899D3DFEE cpcrs.exe MSIL/KillFiles.CK DoubleZero wiper.
43B3D5FFAE55116C68C504339C5D953CA25C0E3F csrss.exe MSIL/KillFiles.CK DoubleZero wiper.
48F54A1D93C912ADF36C79BB56018DEFF190A35C ukcphone.exe Win32/Agent.AECG ArguePatch shellcode loader.
6FA04992C0624C7AA3CA80DA6A30E6DE91226A16 peremoga.exe Win32/Agent.AECG ArguePatch shellcode loader.
9CE1491CE69809F92AE1FE8D4C0783BD1D11FBE7 pa1.pay Win32/KillDisk.NDA Encrypted CaddyWiper shellcode.
3CDBC19BC4F12D8D00B81380F7A2504D08074C15 wobf.sh Linux/KillFiles.C AwfulShred Linux wiper.
8FC7646FA14667D07E3110FE754F61A78CFDE6BC wsol.sh Linux/KillFiles.B SoloShred Solaris wipe.
796362BD0304E305AD120576B6A8FB6721108752 eset_ssl_filtered_cert_importer.exe Win32/Agent.AEGY ArguePatch shellcode loader.
8F3830CB2B93C21818FDBFCF526A027601277F9B spn.exe Win32/Agent.AEKA ArguePatch shellcode loader.
3D5C2E1B792F690FBCF05441DF179A3A48888618 mslrss.exe Win32/Agent.AEKA ArguePatch shellcode loader.
EB437FF79E639742EE36E89F30C6A21072B86CBC caclcly.exe Win64/Agent.BQZ CaddyWiper x64.
57E3D0108636F6EE56C801F128306AD43AF60EE6 cmrss.exe Win32/KillDisk.NCV HermeticWiper.
986BA7A5714AD5B0DE0D040D1C066389BCB81A67 open.exe Win32/Filecoder.Status.A Status filecoder.
C7186DEF5E9C3E1B01BF506F538F5D6185377A9C sysate32.exe Win32/Filecoder.Status.A Status filecoder.
59621F5EFC311FDFE66683266CE9CB17F8227B23 mstc_niko.exe Win32/DelAll.NAH NikoWiper.
84E6A010B372D845C723A8B8D7DDD8D79675DCE5 Sullivan.1.v2.0.exe MSIL/Filecoder.RansomBoggs.A RansomBoggs filecoder.
F4D1C047923B9D10031BB709AABF1A250AB0AAA2 Sullivan.1.v4.5.exe MSIL/Filecoder.RansomBoggs.A RansomBoggs filecoder.
9A3D63C6E127243B3036BC0E242789EC1D2AB171 Sullivan.2.v2.exe MSIL/Filecoder.RansomBoggs.A RansomBoggs filecoder.
BB187EB125070176BD7EC6C57CFF166708DD60E1 Sullivan.2.v4.exe MSIL/Filecoder.RansomBoggs.A RansomBoggs filecoder.
3D593A39FA20FED851B9BEFB4FF2D391B43BDF08 Sullivan.v2.5.exe MSIL/Filecoder.RansomBoggs.A RansomBoggs filecoder.
021308C361C8DE7C38EF135BC3B53439EB4DA0B4 Sullivan.v4.5.exe MSIL/Filecoder.RansomBoggs.A RansomBoggs filecoder.
7346E2E29FADDD63AE5C610C07ACAB46B2B1B176 assist.exe WinGo/KillFiles.C SwiftSlicer wiper.