Ukraine hit by Wiper malware more than ever in 2022

Despite such a massive volume of data-cleansing malware, Russia’s cyberattacks on Ukraine in 2022 appear relatively ineffective in some respects compared to previous years of its conflict there. Since the 2014 revolution, Russia has unleashed repeated destructive campaigns of cyberwarfare against Ukraine, all of which appear to have been designed to weaken Ukraine’s resolve to fight, sow chaos, and present Ukraine to the international community as a failed state. For example, from 2014 to 2017, the Russian military intelligence agency GRU launched a series of unprecedented cyberattacks: they disrupted and then attempted to fake the results of the 2014 Ukrainian presidential election, caused the first ever hacker-induced power outages, and finally launched NotPetya, a self-replicating the Wiper malware that hit Ukraine, destroying hundreds of networks in government offices, banks, hospitals and airports before spreading around the world, causing a hitherto unrivaled $10 billion in damage.

But since the beginning of 2022, Russian cyberattacks on Ukraine have shifted to another gear. Instead of masterpieces of malicious code that took months to create and deploy, as in earlier Russian attacks, the Kremlin’s cyberattacks have become quick, dirty, ruthless, repetitive, and relatively simple acts of sabotage.

In fact, Russia seems to have swapped quality for quantity in their cleanup code to some extent. Most of the dozen-plus wipers launched in Ukraine in 2022 were relatively crude and easy to destroy data, without any of the complex self-propagation mechanisms seen in old GRU wiper tools like NotPetya, BadRabbit or Olympic Destroyer. In some cases, they even show signs of hasty coding. HermeticWiper, one of the first data cleansing tools to hit Ukraine shortly before the February 2022 invasion, used a stolen digital certificate to appear legitimate and avoid detection, a sign of sophisticated pre-invasion planning. But HermeticRansom, a variant of the same malware family designed to appear to its victims as ransomware, contained sloppy software bugs, according to ESET. HermeticWizard, a companion tool designed to distribute HermeticWiper from system to system, was also oddly half-baked. It was designed to infect new machines by trying to log in with hard-coded credentials, but tried only eight usernames and only three passwords: 123, Qaz123, and Qwerty123.

Perhaps the most influential of all Russian malware attacks on Ukraine in 2022 was AcidRain, a data-destroying piece of code that targets Viasat satellite modems. The attack disabled some of Ukraine’s military communications and even spread to satellite modems outside the country, disrupting the ability to monitor data from thousands of wind turbines in Germany. The custom coding required to work with the Linux used in these modems suggests, like the stolen certificate used in HermeticWiper, that the GRU hackers who launched AcidRain carefully prepared it before the Russian invasion.

But as the war progressed—and as Russia became more and more unprepared for the long-term conflict it was getting into—its hackers switched to short-term attacks, perhaps in an attempt to match the pace of physical warfare with ever-shifting frontlines. By May and June, the GRU was increasingly inclined to reuse the CaddyWiper data destruction tool, one of its simplest examples. According to Mandiant, the GRU deployed CaddyWiper five times in those two months and four more times in October, changing its code only enough to avoid detection by antivirus tools.

Even then, however, the explosion of new cleaner options only continued: ESET, for example, lists Prestige, NikoWiper, Somnia, RansomBoggs, BidSwipe, ZeroWipe, and SwiftSlicer as new forms of destructive malware, often posing as ransomware, which has only appeared in Ukraine since October. .

But ESET sees this stream of cleaners not as some sort of intellectual evolution, but as a sort of brute force method. Russia appears to be throwing every possible destructive tool at Ukraine in an attempt to get ahead of its defenders and create as much chaos as possible in the midst of a heavy physical conflict.

“It’s not that their level of technical sophistication is going up or down, but I would say they are experimenting with all these different approaches,” says Robert Lipowski, ESET Principal Threat Researcher. “They’re all in business and they’re trying to wreak havoc and cause disruptions.”