Russian APT group targets Ukrainian industry sectors with data wipers

Target Industry

Energy and media sectors.

Overview

The Russian Advanced Persistent Threat (APT) group, Sandworm, were reported to have targeted an energy sector organisation with the NikoWiper malware in an attack that occurred in October 2022. The threat actor group was also connected to a successful cyber-attack, targeting the national news agency, Ukrinform, whilst deploying five different data wiper strains on compromised systems. The attacks have coincided with missile strikes orchestrated by the Russian armed forces, aimed at the Ukrainian energy infrastructure, indicating interconnectivity in their objectives.

The Computer Emergency Response Team of Ukraine (CERT-UA) identified the five wiper variants as:

• CaddyWiper
• ZeroWipe
• SDelete
• AwfulShred
• BidSwipe.

The NikoWiper variant, as well as the five samples mentioned above, contain one legitimate Windows utility, SDelete, a Microsoft command-line utility used for securely deleting files.

CERT-UA reported within their advisory that:

“It was found that the attackers made an unsuccessful attempt to disrupt the regular operation of users’ computers using the CaddyWiper and ZeroWipe malicious programmes, as well as the legitimate SDelete utility.”

Separately, ESET disclosed another attack, in which the Sandworm group deployed a brand-new wiper named ‘SwiftSlicer’ in a highly targeted attack against an unidentified Ukrainian organisation. In the attack, the threat actor group distributed the malware via a group policy object, suggesting that they had previously gained control of the target’s Active Directory environment. CERT-UA had described Sandworm as employing the identical tactic profile to deploy ‘CaddyWiper’ on Ukrinform’s systems.

Impact

Threat actors typically deploy data wipers to sabotage target systems and therefore have a minimal requirement for incorporating stealth and evasion techniques required for alternative types of malware to be successful.

Two cyber security researchers have reported that data wiper malware induce the following impact on the target systems:

• Backups: Most data wipers delete the volume shadow copies and the actual backups
• Boot section data: The first 10 sectors (master boot record) are either erased or overwritten with a new boot loader
• Data files: Data wipers either overwrite the file’s header or overwrite a specific quantity of bytes at random throughout the file. In either case, the affected files are rendered useless. Additionally, both data-wiping methods destroy the master file table (NTFS for recent versions of Windows), further reducing the likelihood of data recovery.

Vulnerability Detection

A comprehensive endpoint detection and response (EDR) solution, such as Microsoft Defender, can provide additional protection against data wiper threats. EDRs can alert system users of potential breaches and prevent further progress before the malware can implement significant damage.

However, it should be noted that it’s been reported that such solutions have been successfully manipulated to exploit the data deletion capabilities of these platforms and thus impersonate data wiper malware.

Affected Products

The data wipers reported target the following correlating operating systems:

• CaddyWiper: Windows OS
• ZeroWipe: Windows OS
• SDelete: Windows OS
• NikoWiper: Windows OS
• AwfulShred: Linux
• BidSwipe: FreeBSD

Containment, Mitigations & Remediations

The Cybersecurity and Infrastructure Security Agency (CISA) recommends that the following mitigation steps are followed to prevent a successful data wiper attack from Sandworm:

• Verify that all remote access to the organisation’s network and privileged or administrative access requires multi-factor authentication
• Ensure that software is up to date, prioritising updates that address known exploited vulnerabilities identified by CISA
• Confirm that the organisation’s IT personnel have disabled all ports and protocols that are not essential for business purposes
• If the organisation is using cloud services, ensure that IT personnel have reviewed and implemented strong controls outlined in CISA’s guidance
• Ensure that cybersecurity/IT personnel are focused on identifying and quickly assessing any unexpected or unusual network behaviour
• Enable logging in order to better investigate issues or events
• Confirm that the organisation’s entire network is protected by anti-virus/anti-malware software and that signatures in these tools are updated
• If working with Ukrainian companies, take extra care to monitor, inspect, and isolate traffic from those organisations; closely review access controls for that traffic
• Test backup procedures to ensure that critical data can be rapidly restored if the organisation is impacted by a destructive cyberattack; ensure that backups are isolated from network connections
• If using industrial control systems or operational technology, conduct a test of manual controls to ensure that critical functions remain operable if the organisation’s network is unavailable or untrusted.

Indicators of Compromise

Due to the recent emergence of the NikoWiper variant, no Indicators of Compromise (IoCs) have been identified at the time of writing. However, some IoCs have been identified, correlating to the remaining data wiper variants. These have been listed below:

CaddyWiper SHA256 file hashes:

• CDA9310715B7A12F47B7C134260D5FF9200C147FC1D05F030E507E57E3582327
• FC0E6F2EFFBFA287217B8930AB55B7A77BB86DBD923C0E8150551627138C9CAA
• 1724A0A3C9C73F4D8891F988B5035EFFCE8D897ED42336A92E2C9BC7D9EE7F5A
• 00782ccd65a1e03e3e74ce1e59e752926e0a050818fa195bd7e5a5b359500758

CaddyWiper IPv4 addresses:

• 195[.]230[.]23[.]19
• 91[.]245[.]255[.]243

SwiftSlicer SHA256 file hash:

• 7346E2E29FADDD63AE5C610C07ACAB46B2B1B176

SwiftSlicer endpoint detection:

• WinGo/KillFiles.C trojan 3/3

ZeroWipe SHA256 file hash:

• e3bc3689f01fd431cd2ed368ae91eceaa7c465c2781fa7b7dc2ec9143a404f79

SDelete SHA256 file hash:

• 8eaa39e2adfd49ab69d7bb8504ccb82a902c8b48fbc256472f36f41775e594c

AwfulShred SHA256 file hash:

• 246607235d560e90590dcf1b0507ab18de74afcc4429d8d5f3ba97eacc92d73f

BidSwipe SHA256 file hash:

• 66548ba6ca6d34b7d17e42ab2e1405db1c581a516e0b1a4942d373d6d5396ba4

Threat Landscape

The objective of Russian state actors, such as Sandworm, is highly likely to cause irreversible damage to the operations of targeted organisations in Ukraine, in conjunction with Russia’s broader military objectives in the region. Sandworm’s widespread use of data wipers in recent campaigns is consistent with a broader increase in threat actor use of such malware, in both the time period leading up to Russia’s invasion of Ukraine, and in the months since then. These attack efforts are the latest indication that the use of destructive wiper malware is on the rise and is being increasingly adopted as a cyber weapon of choice amongst Russian threat actors.

Thus far, threat actors have used data wiping malware sporadically against organisations in other global regions due to alternative motivations. However, that does not mean that threat actors will not launch similar attack campaigns in additional regions if they so desire.

Threat Group

Sandworm is a well-known, state-backed threat actor that became notorious for the high-profile cyber-attacks on Ukraine’s power infrastructure, with malware such as: BlackEnergy, GreyEnergy, and, more recently, Industroyer.

Mitre Methodologies

Traditional data wiper techniques:

• T1484 – Domain Policy Modification: Group Policy Modification
• T1485 – Data Destruction
• T1561 – Disk Wipe
• T1561.001 – Disk Wipe: Disk Content Wipe
• T1561.002 – Disk Wipe: Disk Structure Wipe

Further Information

• Hackernews Article
• Dark Reading Report
• Trellix Report
• CERT-UA Press Release