Sandworm APT group hit Ukrainian news agency with five data wipers

The Ukrainian (CERT-UA) discovered five different wipers deployed on the network of the country’s national news agency, Ukrinform.

On January 17, 2023, the Telegram channel “CyberArmyofRussia_Reborn” reported the compromise of the systems at the Ukrainian National Information Agency “Ukrinform”.

The Ukrainian Computer Emergency Response Team (CERT-UA) immediately investigated the claims and as of January 27, 2023, found five samples of data wipers:

• CaddyWiper (Windows)
• ZeroWipe (Windows)
• SDelete (Windows)
• AwfulShred (Linux)
• BidSwipe (FreeBSD)

“As of January 27, 2023, 5 samples of malicious programs (scripts) were detected functionality of which is aimed at violating the integrity and availability of information (writing files/disks with zero bytes/arbitrary data and their subsequent deletion)” reads the report published by the CERT-UA.

“It was found that the attackers made an unsuccessful attempt to disrupt the regular operation of users’ computers using the CaddyWiper and ZeroWipe malicious programs, as well as the legitimate SDelete utility (which was supposed to be launched using “news.bat”).”

The attackers attempted to disrupt the regular operation of target systems using the CaddyWiper and ZeroWipe, as well as the legitimate SDelete utility that was allegedly launched using the file “news.bat”. The attackers also created a group policy object (GPO) to distribute the CaddyWiper malware.

However, the attack attempt partially failed because the threat actors were able to wipe out the data only on some of the news agency’s systems, such as several data storage systems, which didn’t impact the operations at the Ukrainian agency.

According to the report, threat actors conducted a reconnaissance of the Ukrinform agency no later than December 7, 2022, and breached its systems on January 17, 2023.

The CERT-UA attributes the attack to the Russia-linked APT group UAC-0082 (aka Sandworm, BlackEnergy, and TeleBots).

The Sandworm group has been active since 2000, it operates under the control of Unit 74455 of the Russian GRU’s Main Center for Special Technologies (GTsST).

The group is also the author of the NotPetya ransomware that hit hundreds of companies worldwide in June 2017.

In 2022, the Russian APT used multiple wipers in attacks aimed at Ukraine, including AwfulShred, CaddyWiper, HermeticWiper, Industroyer2, IsaacWiper, WhisperGate, Prestige, RansomBoggs, and ZeroWipe. 

On September 2022, the Sandworm group was observed impersonating telecommunication providers to target Ukrainian entities with malware.

Last week, researchers from ESET discovered a new Golang-based wiper, dubbed SwiftSlicer, that was used in attacks aimed at Ukraine. 

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Sandworm)