Sandworm hackers strike again! Ukraine's national news agency targeted with a de...
A recent cybersecurity incident in Ukraine has brought to light the deployment of a cocktail of five different data-wiping malware strains on the network of the country's national news agency, Ukrinform. The Ukrainian Computer Emergency Response Team (CERT-UA) discovered the attack on January 17th, and as of January 27th, five samples of malicious programs were identified. These programs aimed to violate the integrity and availability of information by writing files and disks with zero bytes or arbitrary data, before subsequently deleting them.
The list of destructive malware used in the attack includes CaddyWiper (Windows), ZeroWipe (Windows), SDelete (Windows), AwfulShred (Linux), and BidSwipe (FreeBSD). Notably, two of the five strains, ZeroWipe and BidSwipe, are either new malware or are tracked by the Ukrainians under different names than those used by anti-malware vendors.
Further investigation by CERT-UA revealed that the attackers had gained remote access to Ukrinform's network around December 7th, and waited over a month to launch the malware cocktail. However, their attempt to wipe out all the data on the news agency's systems was unsuccessful, as the wipers only managed to destroy files on a limited number of data storage systems, which did not impact Ukrinform's operations.
CERT-UA has linked the attack to the Sandworm threat group, a hacking outfit that is believed to be part of the Russian Military Unit 74455 of the Main Intelligence Directorate (GRU). Sandworm has previously been linked to other cyberattacks targeting Ukrainian targets, including a failed attempt in April to target a large Ukrainian energy provider using a similar tactic of deploying the CaddyWiper data wiper to erase traces left by Industroyer ICS malware.
Since Russia invaded Ukraine in February 2022, multiple strains of data-wiping malware have been deployed on the networks of Ukrainian targets, including DoubleZero, HermeticWiper, IsaacWiper, WhisperKill, WhisperGate, and AcidRain. Furthermore, Microsoft and Slovak software company ESET have also linked recent ransomware attacks targeting Ukraine to the Sandworm hacking group.