#BHUSA: Russia's Wiper Attacks Against Ukraine Detailed

Alongside the physical invasion of the Ukraine, Russia also launched a cybersecurity invasion, with the use of multiple tools, notably wipers.

In a session at the Black Hat USA 2022 security conference, Thomas Hegel and Juan Andres Guerrero, who are threat researchers at SentinelOne, provided vivid details of Russia's cyberwar activities in the Ukraine. Hegel noted that Russia has made use of multiple techniques including DDoS, disinformation hacktivism campaigns and large scale wiper attacks against Ukraine.

While Western nations tend to have cyber commands with some form of cyber ranger where forces are first trained in a virtual environment, Russia is taking a very different approach.

"Russian threat actors are about live fire exercises, they don't really care for cyber ranges," Guerrero said.

Guerrero noted that Russia first deployed wipers in its attacks against Ukraine in 2016 and 2017 during the Industroyer  and NotPetya incidents. According to Guerrero, those attacks set the tone for how Russia handles cyber-attacks.

From the very first day of the invasion on February 23, Hegel said that there were Wiper attacks. The goal of a wiper is to literally 'wipe' or delete information, sometimes with a form of misdirection, intended to make a target think they are the victim of ransomware.

The first wiper used by Russia was one that SentinelOne refers to as 'Hermetic Wiper' and is referenced by Microsoft as 'Foxblade.' Hegel and Guerrero went through a long list of different wipers used by Russia over the last six months as the conflict has continued to rage.

What isn't entirely clear is how much of the Wiper malware was stockpiled by Russia prior to the onset of hostilities in February. There is evidence that several of the wipers that Russia deployed were in fact developed prior to February, while many of the others appear to have been developed in 2022 during the course of the conflict.

In terms of why so many wipers have been discovered, Guerrero stated that they are often the 'loudest,' most visible form of malware attack, and that's likely why so many have been seen in the war thus far.

"It's inevitably the tip of the iceberg for this situation as far as what  we know," Guerrero said.

What does appear likely is the continued use of tools targeted at industrial infrastructure. In April, power plants in the Ukraine were hit by the Industroyer2 malware and the SentinelOne researchers expect similar attacks in the future, using the Incontroller industrial control system (ICS) malware family.

"There's so much unknown at this point but I would say the newer activity that we're seeing related to the ICS side is concerning and we just don't know if it will be used elsewhere," Hegel said. "Will will see it leading up to the winter and is this going to be used to force certain organizations to come back to Russia for energy if they are disrupted?"

What’s Hot on Infosecurity Magazine?