ESET Research has put together a timeline of cyberattacks that employed wiper malware and were carried out since Russia’s invasion of Ukraine in 2022. The report highlights a catalogue of disruptive wiper attacks witnessed by ESET, as well as others reported by other trusted sources, including CERT-UA, Microsoft, and SentinelOne. The attacks varied in degree and were linked to Sandworm. The majority of the attacks analysed occurred in Ukraine. The reports suggest the intensification of wiper campaigns since the military invasion in February 2022 has been unprecedented. The weapons of choice used by cybercriminals in the attacks against Ukrainian institutions have been disruptive wipers, and wipers presented as ransomware.
The report notes that the use of wipers by Russian APT groups – particularly Sandworm – against Ukrainian entities is not new. The report details wiper campaigns dating as far back as 2014, with BlackEnergy’s disruptive plugins, and the Telebots subgroup’s endeavours, including NotPetya, among the most infamous. However, the report laments that with the spike in cyberattacks since the 2022 invasion, things have heightened.
The report lists a series of wiper attacks detected and stopped by ESET researchers. The first incident documented was the deployment of the WhisperGate malware that targeted Ukrainian institutions on January 14th, 2022. The HermeticWiper was deployed on February 23rd, 2022, with the cyberattack occurring just hours before the Russian Federation forces invaded Ukraine. Numerous other wiper attacks with different techniques were also listed, including those launched using the Hermetic campaign, ArguePatch loader, DesertBlade, and Acid Rain wipers.
The compilation also examined wiper activities during quieter summer months in the region that saw fewer curated incidents, but which still bore significant incidents. These include incidents that were carefully monitored by CERT-UA on cases of ArguePatch and CaddyWiper deployment against Ukrainian institutions. Two similar cases occurred in the week starting June 20th, 2022, and another on June 23rd, 2022.
The report records that cyberattacks significantly intensified, with temperatures dipping, and preparations made for northern winters. On October 3rd, 2022, a new version of CaddyWiper was discovered by researchers and was compiled as an x64 Windows binary, a change from the previously used variants. On October 11th, 2022, a previously unknown wiper named NikoWiper deployed against a company in the Ukrainian energy sector.
In January 2023, the disruptive attacks against Ukrainian entities continued, with a breach reported on January 1st, 2023, revealing the execution of the SDelete utility at a Ukrainian software reseller. According to CERT-UA, on January 17th, 2023, Ukrainian news agencies experienced an attack using multiple wipers such as ZeroWipe, SDelete, AwfulShred, and BidSwipe.
In conclusions, the report emphasises the unprecedented intensification of wiper campaigns since Russia’s invasion of Ukraine. The report highlights that a lot of these attacks have been identified and neutralised. However, the researchers argue that it is crucial to continue monitoring the situation as cyberattacks of these sorts are expected to continue.