The Ukrainian Computer Emergency Response Team (CERT-UA) found a cocktail of five different data-wiping malware strains deployed on the network of the country’s national news agency (Ukrinform) on January 17th.
“As of January 27, 2023, 5 samples of malicious programs (scripts) were detected, the functionality of which is aimed at violating the integrity and availability of information (writing files/disks with zero bytes/arbitrary data and their subsequent deletion),” CERT-UA said (automated translation from Ukrainian).
The list of destructive malware deployed in the attack against Ukrinform includes CaddyWiper (Windows), ZeroWipe (Windows), SDelete (Windows), AwfulShred (Linux), and BidSwipe (FreeBSD).
Two of the five strains, ZeroWipe and BidSwipe, are either new malware or are tracked by the Ukrainians under different names than those used by anti-malware vendors.
The attackers launched the CaddyWiper malware using a Windows group policy (GPO), showing that they had breached the target’s network beforehand.
As CERT-UA found during the investigation, the threat actors gained remote access to Ukrinform’s network around December 7th and waited more than a month to unleash the malware cocktail.
However, their attempt to wipe out all the data on the news agency’s systems failed. The wipers only managed to destroy files on “several data storage systems,” which didn’t impact Ukrinform’s operations.
“The CERT-UA emphasizes that the cyberattack was only a partial success, specifically with regard to a limited number of data storage systems,” the State Service of Special Communications and Information Protection (SSSCIP) of Ukraine added.
Cyberattack linked to Russian Sandworm military hackers
CERT-UA linked the attack to the Sandworm threat group last week, a hacking outfit part of the Russian Military Unit 74455 of the Main Intelligence Directorate (GRU).
Sandworm has also used the CaddyWiper data wiper in another failed attack from April targeting a large Ukrainian energy provider.
In that attack, the Russian hackers used a similar tactic, deploying CaddyWiper to erase traces left by Industroyer ICS malware, together with three other wipers designed for Linux and Solaris systems, and tracked as Orcshred, Soloshred, and Awfulshred.
Since Russia invaded Ukraine in February 2022, multiple strains of data-wiping malware have been deployed on the networks of Ukrainian targets besides CaddyWiper.