The Ukrainian Computer Emergency Response Team (CERT-UA) discovered a data-wiping malware attack on the national news agency, Ukrinform, on January 17th, 2023. The attack was a cocktail of five different malware strains including CaddyWiper (Windows), ZeroWipe (Windows), SDelete (Windows), AwfulShred (Linux), and BidSwipe (FreeBSD). Two of the strains, ZeroWipe and BidSwipe, are either new malware or known by different names by anti-malware vendors.
The attackers used a Windows group policy (GPO) to launch the CaddyWiper malware, indicating that they had already breached the target's network. The threat actors gained remote access to Ukrinform's network on December 7th and waited a month before unleashing the malware cocktail. However, their attempt to wipe all the data on the news agency's systems failed, only destroying files on several data storage systems without affecting Ukrinform's operations. CERT-UA linked the attack to the Russian Sandworm threat group, part of the Russian Military Unit 74455 of the Main Intelligence Directorate (GRU). Sandworm has also used CaddyWiper in a failed attack on a Ukrainian energy provider in April.
Dmitry Bestuzhev, Most Distinguished Threat Researcher, BlackBerry shared his thoughts on the attack and how organizations can mitigate similar threats:
"If we take a look at the Ukrainian threat landscape in 2022-2023, three leading malware families are targeting them: ransomware (massive), wiper (targeted), and backdoors with info stealing capabilities (targeting).
Most of those malicious families apparently come from Russia and are used in the context of the war. While ransomware encrypts data, its massive propagation makes it possible to disrupt a significant number of computers. One of the most active groups targeting Ukraine is the Conti group.
Wipers have not been used widely as they’re targeted weapons. However, the same threat actor called Sandworm has been actively working on developing wipers and ransomware families used explicitly for Ukraine. Sullivan Ransomware is an example of this.
Finally, the backdoors with info stealers revolves around RomCom RAT, which is also coded to target Ukraine. Threat actors behind the attacks in Ukraine have two main goals: data destruction or information theft. Sometimes the second one is the first stage of more extensive operations leading to data destructions weeks or months later.
Mitigating these attacks
In the case of the latest wiper attack against Ukraine, the original file name used by the threat actor is "Total Commander." That's a very popular file manager in Eastern European countries. It is unclear how that would end up on the infected machines; however, it's obvious the threat actor behind it relies on the filenames of the most popular apps.
When we think about RomCom RAT, its initial infection vector is through a fake website that looks like a legitimate one. So malvertising is something to take care of, and social engineering is too. I would say that those two infection vectors are important to watch.
In this case, the wiper used was GoLang, which has been increasingly covered in the media. GoLang is a cross-platform language, which is not simple to reverse. That makes it a solid choice when developing weapons. On one hand, it can be easily used to code for both Windows and Linux environments. On the other hand, when those samples end up in the hands of the researchers, it is time-consuming to reverse them." ###