Ukrainian cyber-experts have discovered multiple pieces of destructive malware that, earlier this month, were used in an attack targeting the country’s national news agency (Ukrinform).
The country’s Computer Emergency Response Team (CERT-UA) revealed in an update that the attack was publicized on a Telegram channel “CyberArmyofRussia_Reborn” on January 17.
After being asked by Ukrinform to investigate, a team at CERT-UA discovered five scripts – “the functionality of which is aimed at violating the integrity and availability of information (writing files/disks with zero bytes/arbitrary data and their subsequent deletion).”
The threat actors are believed to have gained unauthorized remote access to the Ukrinform network as far back as December 7 2022, but bided their time before launching the destructive malware.
In fact, the five samples contain one legitimate Windows utility, SDelete.
“It was found that the attackers made an unsuccessful attempt to disrupt the regular operation of users’ computers using the CaddyWiper and ZeroWipe malicious programs, as well as the legitimate SDelete utility (which was supposed to be launched using ‘news.bat’),” the report noted.
“At the same time, for the purpose of centralized distribution of malicious programs, a group policy object (GPO) was created, which, in turn, ensured the creation of corresponding scheduled tasks.”
The full list of malware/software used in the attack is: CaddyWiper, ZeroWipe, AwfulShred, BidSwipe and SDelete.
CaddyWiper was first discovered back in March 2022 at the beginning of Russia’s invasion. Researchers profiling it at the time said it did not share any characteristics with previous destructive malware used by Russia, such as HermeticWiper, IsaacWiper and WhisperGate.
Like the Ukrinform attack, it was deployed via a GPO, indicating the threat actors had control of the target’s network.
“Taking into account the results of the study, we believe it is possible to state that the cyber-attack was carried out by the UAC-0082 (Sandworm) group, whose activities are associated with the Russian Federation,” the report concluded.
Operating out of the Russian military (GRU), Sandworm has been linked to multiple destructive campaigns in the past, including attacks on Ukrainian power infrastructure in December 2015 and the infamous NotPetya worm of 2017.