Pages

28 February 2023

Ukraine Suffered More Data-Wiping Malware Last Year Than Anywhere, Ever


AMIDST THE TRAGIC toll of Russia's brutal and catastrophic invasion of Ukraine, the effects of the Kremlin's long-running campaign of destructive cyberattacks against its neighbor have often—rightfully—been treated as an afterthought. But after a year of war, it's becoming clear that the cyberwar Ukraine has endured for the past year represents, by some measures, the most active digital conflict in history. Nowhere on the planet has ever been targeted with more specimens of data-destroying code in a single year.

Ahead of the one-year anniversary of Russia's invasion, cybersecurity researchers at Slovakian cybersecurity firm ESET, network security firm Fortinet, and Google-owned incident-response firm Mandiant have all independently found that in 2022, Ukraine saw far more specimens of “wiper” malware than in any previous year of Russia's long-running cyberwar targeting Ukraine—or, for that matter, any other year, anywhere. That doesn't necessarily mean Ukraine has been harder hit by Russian cyberattacks than in past years; in 2017 Russia's military intelligence hackers known as Sandworm released the massively destructive NotPetya worm. But the growing volume of destructive code hints at a new kind of cyberwar that has accompanied Russia's physical invasion of Ukraine, with a pace and diversity of cyberattacks that's unprecedented.

“In terms of the sheer number of distinct wiper malware samples,” says ESET senior malware researcher Anton Cherepanov, “this is the most intense use of wipers in all computer history.”

Researchers say they're seeing Russia's state-sponsored hackers throw an unprecedented variety of data-destroying malware at Ukraine in a kind of Cambrian Explosion of wipers. They've found wiper malware samples there that target not just Windows machines, but Linux devices and even less common operating systems like Solaris and FreeBSD. They've seen specimens written in a broad array of different programming languages, and with different techniques to destroy target machines' code, from corrupting the partition tables used to organize databases to repurposing Microsoft's SDelete command line tool, to overwriting files wholesale with junk data.

In total, Fortinet counted 16 different “families” of wiper malware in Ukraine over the past 12 months, compared to just one or two in previous years, even at the height of Russia's cyberwar prior to its full-scale invasion. “We're not talking about, like, doubling or tripling,” says Derek Manky, the head of Fortinet's threat intelligence team. “It's an explosion, another order of magnitude.” That variety, researchers say, may be a sign of the sheer number of malware developers whom Russia has assigned to target Ukraine, or of Russia's efforts to build new variants that can stay ahead of Ukraine's detection tools, particularly as Ukraine has hardened its cybersecurity defenses.

Fortinet has also found that the growing volume of wiper malware specimens hitting Ukraine may in fact be creating a more global proliferation problem. As those malware samples have shown up on the malware repository VirusTotal or even the open-source code repository Github, Fortinet researchers say its network security tools have detected other hackers reusing those wipers against targets in 25 countries around the world. “Once that payload is developed, anyone can pick it up and use it,” Manky says.

Despite that sheer volume of wiper malware, Russia's cyberattacks against Ukraine in 2022 have in some respects seemed relatively ineffective compared to previous years of its conflict there. Russia has launched repeated destructive cyberwarfare campaigns against Ukraine since the country's 2014 revolution, all seemingly designed to weaken Ukraine's resolve to fight, sow chaos, and make Ukraine appear to the international community to be a failed state. From 2014 to 2017, for instance, Russia's GRU military intelligence agency carried out a series of unprecedented cyberattacks: They disrupted and then attempted to spoof results for Ukraine's 2014 presidential election, caused the first-ever blackouts triggered by hackers, and finally unleashed NotPetya, a self-replicating piece of wiper malware that hit Ukraine, destroying hundreds of networks across government agencies, banks, hospitals, and airports before spreading globally to cause a still-unmatched $10 billion in damage.

But since early 2022, Russia's cyberattacks against Ukraine have shifted into a different gear. Instead of masterpieces of malevolent code that required months to create and deploy, as in Russia's earlier attack campaigns, the Kremlin's cyberattacks have accelerated into quick, dirty, relentless, repeated, and relatively simple acts of sabotage.

In fact, Russia appears, to some degree, to have swapped quality for quantity in its wiper code. Most of the dozen-plus wipers launched in Ukraine in 2022 have been relatively crude and straightforward in their data destruction, with none of the complex self-spreading mechanisms seen in older GRU wiper tools like NotPetya, BadRabbit, or Olympic Destroyer. In some cases, they even show signs of rushed coding jobs. HermeticWiper, one of the first wiping tools that hit Ukraine just ahead of the February 2022 invasion, used a stolen digital certificate to appear legitimate and avoid detection, a sign of sophisticated pre-invasion planning. But HermeticRansom, a variant in the same family of malware designed to appear as ransomware to its victims, included sloppy programming errors, according to ESET. HermeticWizard, an accompanying tool designed to spread HermeticWiper from system to system, was also bizarrely half-baked. It was designed to infect new machines by attempting to log in to them with hardcoded credentials, but it only tried eight usernames and just three passwords: 123, Qaz123, and Qwerty123.

Perhaps the most impactful of all of Russia's wiper malware attacks on Ukraine in 2022 was AcidRain, a piece of data-destroying code that targeted Viasat satellite modems. That attack knocked out a portion of Ukraine's military communications and even spread to satellite modems outside the country, disrupting the ability to monitor data from thousands of wind turbines in Germany. The customized coding needed to target the form of Linux used on those modems suggests, like the stolen certificate used in HermeticWiper, that the GRU hackers who launched AcidRain had carefully prepared it ahead of Russia's invasion.

But as the war has progressed—and as Russia has increasingly appeared unprepared for the longer-term conflict it mired itself in—its hackers have switched to shorter-term attacks, perhaps in an effort to match the pace of a physical war with constantly changing front lines. By May and June, the GRU had come to increasingly favor the repeated use of the data-destruction tool CaddyWiper, one of its simplest wiper specimens. According to Mandiant, the GRU deployed CaddyWiper five times in those two months and four more times in October, changing its code only enough to avoid detection by antivirus tools.

Even then, however, the explosion of new wiper variants has only continued: ESET, for instance, lists Prestige, NikoWiper, Somnia, RansomBoggs, BidSwipe, ZeroWipe, and SwiftSlicer all as new forms of destructive malware—often posing as ransomware—that have appeared in Ukraine since just October.

But ESET doesn't see that flood of wipers as a kind of intelligent evolution, so much as a kind of brute-force approach. Russia appears to be throwing every possible destructive tool at Ukraine in an effort to stay ahead of its defenders and inflict whatever additional chaos it can in the midst of a grinding physical conflict.

“You can’t say their technical sophistication is increasing or decreasing, but I would say they’re experimenting with all these different approaches,” says Robert Lipovsky, ESET's principal threat intelligence researcher. “They're all in, and they're trying to wreak havoc and cause disruption.”

No comments:

Post a Comment