Sandworm, an advanced persistent threat (APT) group linked to Russia’s foreign military intelligence agency GRU, has deployed a medley of five different wipers on systems belonging to Ukraine’s national news agency Ukrinform.
The attack was one of two recent wiper offensives from Sandworm in the country. The efforts are the latest indications that the use of destructive wiper malware is on the rise, as a popular weapon among Russian cyber-threat actors. The goal is to cause irrevocable damage to the operations of targeted organizations in Ukraine, as part of Russia’s broader military objectives in the country.
A Medley of Wipers
According to Ukraine’s Computer Emergency Response Team (CERT-UA), the Ukrinform attack was only partially successful and ended up not impacting operations at the news agency. But had the wipers worked as intended they would have erased and overwritten data on all the infected systems and essentially rendered them useless.
CERT-UA reported the attack publicly last Friday after Ukrinform asked it to investigate the incident on Jan. 17. In an advisory, CERT-CA identified the five wiper variants that Sandworm had installed on the news agency’s systems as CaddyWiper, ZeroWipe, SDelete, AwfulShred, and BidSwipe. Of these, the first three targeted Windows systems, while AwfulShred and BidSwipe took aim at Linux and FreeBSD systems at Ukrinform. Interestingly, SDelete is a legitimate command line utility for securely deleting Windows files.
“It was found that the attackers made an unsuccessful attempt to disrupt the regular operation of users’ computers using the CaddyWiper and ZeroWipe malicious programs, as well as the legitimate SDelete utility,” a translated version of CERT-UAs advisory noted. “However, it was only partially successful, in particular, to several data storage systems.”
“SwiftSlicer” Wiper Comes to Light
Separately, ESET disclosed another attack last week where the Sandworm group deployed a brand-new wiper dubbed SwiftSlicer in a highly targeted attack against an unidentified Ukrainian organization. In the attack, the Sandworm group distributed the malware via a group policy object, suggesting that the threat actor has already gained control of the victim’s Active Directory environment, ESET said. CERT-UA had described Sandworm as employing the same tactic to try and deploy CaddyWiper on Ukrinform’s systems.
Once executed, SwiftSlicer deletes shadow copies, recursively overwrites files in system and non-system drives, and then reboots the computer, ESET noted. “For overwriting it uses 4096 bytes length block filled with randomly generated byte(s),” the security vendor said.
Sandworm’s use of disk wiper malware in its campaigns against Ukrainian organizations is one indication of the destructive power that threat actors perceive these tools as having. Sandworm is a well-known, state-backed threat actor that became infamous for its high-profile attacks on Ukraine’s power infrastructure, with malware such as BlackEnergy, GreyEnergy, and, more recently, Industroyer.
Sandworm’s rampant use of disk wipers in its new campaigns is consistent with a broader increase in threat actor use of such malware in both the weeks leading up to Russia’s invasion of Ukraine, and in the months since then.
At a session during Black Hat Middle East & Africa last November, Max Kersten, a malware analust from Trellix, released details of an analysis he had conducted of disk wipers in the wild in the first half of 2022. The researcher’s study identified more than 20 wiper families that threat actors had deployed during the period, many of them against targets in Ukraine. Some examples of the more prolific ones included wipers that masqueraded as ransomware, such as WhisperGate and HermeticWiper, and others such as IsaacWiper, RURansomw, and CaddyWiper.
The researcher’s study showed that, from a functionality standpoint, disk wipers had evolved little since the “Shamoon” virus of more than a decade ago that destroyed thousands of systems at Saudi Aramco. The major reason is that attackers usually deploy wipers to sabotage and destroy systems and therefore have little need for building in the stealth and evasiveness required for other types of malware to be successful.
So far, threat actors have used disk wiping malware only relatively sparingly against organizations in the US, because their motivations have been typically different than those going after targets in Ukraine. Most attacks targeting organizations in US tend to be financially motivated, or involve a spying or cyber-espionage bent. However, that doesn’t mean threat actors cannot launch the same kind of destructive attacks in the US if they choose too, analysts have cautioned.