Ukrainian cyber experts uncovered multiple destructive malware used in an attack targeting the country’s state-run news agency (Ukrinform) earlier this month.
The National Computer Emergency Response Team (CERT-UA) has revealed in an update that the attack was made public on the telegram channel “CyberArmyofRussia_Reborn” on January 17th.
After being asked to investigate by Ukrinform, the CERT-UA team discovered five scripts. “Its functionality is intended to compromise the integrity and availability of information (writing zero bytes/arbitrary data to a file/disk and then deleting it).”
The attackers are believed to have gained unauthorized remote access to the Ukrinform network as far back as December 7, 2022, but took time out before launching the destructive malware.
In fact, 5 samples contain one legitimate Windows utility, SDelete.
“The attackers used the CaddyWiper and ZeroWipe malicious programs and the legitimate SDelete utility (which was supposed to be launched using ‘news.bat’) to interfere with the normal operation of users’ computers. It turned out to be an unsuccessful attempt,” the report noted.
“At the same time, a Group Policy Object (GPO) was created for the purpose of centrally distributing malicious programs, which ensures that corresponding scheduled tasks are created.”
The full list of malware/software used in the attacks are CaddyWiper, ZeroWipe, AwfulShred, BidSwipe, and SDelete.
CaddyWiper was first spotted in March 2022 when the Russian invasion began. Researchers profiling it at the time said it shared no characteristics with previous destructive malware used by Russia, including HermeticWiper, IsaacWiper, and WhisperGate.
Similar to the Ukrinform attack, it was deployed via GPOs, indicating that the attacker had control over the targeted network.
“Given the findings of the investigation, we believe it can be stated that the cyberattack was carried out by the UAC-0082 (Sandworm) group, whose activities are related to the Russian Federation,” the report concludes. I’m here.
Operating outside the Russian Armed Forces (GRU), Sandworm has been involved in several devastating campaigns in the past, including attacks on Ukraine’s power infrastructure in December 2015 and the infamous NotPetya worm in 2017. rice field.
