Data-wiper malware strains surge as Ukraine battles ongoing invasion
Besides files being erased, another thing being deleted: Any sense this is a coincidence
Security researchers have detailed six significant strains of data-wiping malware that have emerged in just the first quarter of 2022, a huge surge over previous years.
This increase coincides with the invasion of Ukraine, and all of these wipers have been used against that state's infrastructure and organizations. One of the wipers also took wind turbines in Germany offline, satellite communication modems in Ukraine seemingly being the primary target in this specific attack.
"Although these haven't been officially attributed to Russian state-sponsored threat actors, their goals align with the Russian military's," wrote Fortinet security researcher Gergely Revay in a deep dive into the data-destroying malware as a whole. "It is widely theorized that these cyberattacks are intentionally being launched in concert with the invasion."
Here's Fortinet's breakdown of the emergency of significant file-trashing malware over the past few years:
Shamoon, 2012: Used to attack Saudi Aramco and Qatar's RasGas oil companies.
Dark Seoul, 2013: Attacked South Korean media and financial companies.
Shamoon, 2016: Returned to again attack Saud Arabian organizations.
NotPetya, 2017: Originally targeted Ukrainian organizations, but due to its self-propagation capability, it became the most devastating malware to date.
Olympic Destroyer, 2018: Attack targeted against the Winter Olympics in South Korea.
Ordinypt/GermanWiper, 2019: Targeted German organizations with phishing emails in German. Dustman, 2019: Iranian state-sponsored threat actors attacked Bapco, Bahrain's national oil company.
ZeroCleare, 2020: Attacked energy companies in the Middle East.
WhisperKill/WhisperGate, 2022: Attacked Ukrainian organizations in parallel with the Ukraine-Russia war.
HermeticWiper, 2022: Attacked Ukrainian organizations in parallel with the Ukraine-Russia war.
IsaacWiper, 2022: Attacked Ukrainian organizations in parallel with the Ukraine-Russia war.
CaddyWiper, 2022: Attacked Ukrainian organizations in parallel with the Ukraine-Russia war.
DoupleZero, 2022: Attacked Ukrainian organizations in parallel with the Ukraine-Russia war.
AcidRain, 2022: Attacked Viasat's KA-SAT satellite service provider.
That's six or so in just 2022 alone so far, versus about one a year previously. While the wipers have primarily targeted Ukrainian organizations to date, as the illegal and bloody Russian invasion of the nation continues, cybersecurity and law enforcement agencies warn that Kremlin-backed crime gangs may turn their destructive attacks toward Western governments and companies.
In a joint alert from CISA and the FBI posted on Thursday, the US agencies provide new indicators of compromise for WhisperGate malware and technical details for four other wipers that have been deployed against Ukraine since January.
"Further disruptive cyberattacks against organizations in Ukraine are likely to occur and may unintentionally spill over to organizations in other countries," the Feds warned. "Organizations should increase vigilance and evaluate their capabilities encompassing planning, preparation, detection, and response for such an event."
WhisperGate rings in 2022 with a bang
Microsoft identified 2022's first new strain of info-destroying malware, dubbed WhisperGate, being used against organizations in Ukraine on January 15. It has now been attributed to Ghostwriter, which is thought to be connected to Russia's GRU military intelligence service.
WhisperGate corrupts a Windows system's master boot record, displays a message, and encrypts files based on certain file extensions, according to CISA. And while the software nasty displays this ransomware note during the attack, it's a scam. The malware destroys the data, and it's not recoverable — so don't bother paying the ransom, Microsoft advised.
In the updated security alert, CISA and the FBI listed several new malicious hashes associated with WhisperGate that contain nefarious binaries, droppers and macros.
The binaries are predominantly .NET, typically contain multiple layers of obfuscation, and also contain multiple defenses including virtual machine checks, sandbox detection and evasion, and anti-debugging techniques, according to the Feds. "Finally, the sleep command was used in varying lengths via PowerShell to obfuscate execution on a victim's network," they noted.
Additionally, all WhisperGate Microsoft .doc files contain a nasty macro that is base64 encoded, and allows a PowerShell script to run a sleep command on the compromised device, connect to an external website, and then download the data wiper.
- 'Hundreds of computers' in Ukraine hit with wiper malware as conflict continues
- Second data-wiping malware found in Ukraine, says ESET
- Feds offer big rewards for info on suspected Russian Sandworm intel officers
- Five Eyes nations fear wave of Russian attacks against critical infrastructure
FortiGuard Labs also provided a detailed analysis of WhisperGate's data wiping techniques, and noted that its second stage downloads the file-corrupter components from a hardcoded Discord channel.
This component snoops through a victim's folders, looking for different data files with extensions hardcoded in the malware. It then replaced the content of these files with 1 MB of 0xCC bytes and it also adds a 4-character long random extension, Revay wrote.
While CISA's warning details five wipers used in conjunction with Russia's kinetic warfare in Ukraine — WhisperGate/WhisperKill, HermeticWiper, IsaacWiper, HermeticWizard and CaddyWiper — FortiGuard Labs counts a sixth, dubbed AcidWiper.
Security researchers at SentinelOne discovered this malware last month, which they theorized was used in an attack against the Viasat KA-SAT satellite broadband service provider to deploy AcidRain on KA-SAT modems used in Ukraine. Viasat later confirmed that AcidRain was used in the attack, which also knocked 5,800 wind turbines offline in Germany.
The security shop's researchers also suggested with "medium-confidence" that the Kremlin-backed Sandworm gang is behind the AcidRain attack, and that this new wiper malware may be a successor to Russia's destructive VPNFilter.
Regardless of the final count, be it five or six new strains of wiper malware, seeing this many in the first quarter of 2022 "is unprecedented," Derek Manky, Fortinet's chief security strategist told The Register. "Historically we've seen one in a year."
According to the security firm's analysis, this has been the case since 2012, with 2019 being the exception to the rule — until now. In 2019, Ordinypt targeted German organizations with phishing emails and that same year Iranian state-sponsored criminals attacked Bapco, Bahrain's national oil company, with a wiper named Dustman.
Jumping from one a year to five or six wipers just four month in illustrates the growing sophistication of cybercrime groups, Manky added.
"It's concerning, to say the least," he said. "It's not just about the monetization and financial aspect of cybercrime, but we're seeing cybercrime now becoming more sophisticated and destructive." ®