Russian wipers in the cyberwar against Ukraine

Thursday 29 September 2022, 09:30 - 10:00

Alexander Adamov (NioGuard Security Lab)

The story of Russian wipers used in Ukraine began in 2015 when the APT28 group (Russian GRU) attacked the Ukrainian power grid with the BlackEnergy backdoor and KillDisk wiper to take down the SCADA servers in the power distribution centres. Thus, the attackers left 230,000 residents in Western Ukraine without electricity for six hours.

Two years later, in June 2017, the same APT28 group ran a supply-chain attack delivered through another wiper, called NotPetya, which was a patched version of the Petya ransomware but without the ability to decrypt MFT.

This year we’ve been seeing an unprecedented chain of Russian cyberattacks against Ukrainian government organizations and critical infrastructure using a variety of different wipers that have nothing in common.

It all started with the WhisperGate operation, discovered by Microsoft on 13 January 2022, against Ukrainian financial and government institutions where a rather complex wiper was used that rewrote not only the MBR but also part of the data on all hard disks while being in boot mode.

The day before the Russian army invaded Ukraine (23 February 2022), the HermeticWiper malware was used in an attack against at least five government organizations in Ukraine. The wiper used legitimate drivers from the EaseUS Partition Master software to get direct access to disk partitions. The next day (24 February 2022), researchers from ESET detected another wiper, which they called IsaacWiper.

Later, on 14 March 2022, ESET discovered one more basic wiper, CaddyWiper, which simply fills the first 1920 bytes of disks with zeros, making a target system unbootable.

In April, CERT-UA reported a new attack against the Ukrainian power grid with a new version of the Industroyer malware used previously in 2016 by the Russian Sandworm group and an encoded version of the already known CaddyWiper that was launched and decoded using a patched version of the remote IDA debugger server ‘win32_remote.exe’ known to all reverse engineers. The attackers established a foothold in February 2022 and planned to take down the energy systems on the evening of Friday 8 April 2022.

The last attack may show that the Russian GRU (APT28, Sandworm) does not have enough resources to develop a new cyberweapon and switched to the malware reuse practice or “malware recycling”. Moreover, this tactic has already been seen in 2017, when the Russian APT28 group was using clones of open-source or stolen ransomware such as XData (originally AES-NI ransomware, whose source code had been stolen), PsCrypt (Globe), WannaCry.NET (similarly to WannaCry, the EternalBlue exploit was used in the .NET version of the ransomware), NotPetya (Petya’s binary was patched to irreversibly destroy an MFT) in the supply-chain attack via the compromised MEDoc software.

In the talk, we’ll run through the techniques that were used to deliver and execute the wipers as well as their destructive payloads and indicators that can be useful for attribution.

 


alexander-adamov.jpg

Alexander Adamov

Dr Alexander Adamov is the Founder and CEO of the research laboratory called NioGuard Security Lab, with 15+ years of experience in the analysis of cyberattacks. He teaches cybersecurity at NURE (Ukraine) and BTH (Sweden) universities and explores AI/ML capabilities in cybersecurity. He is a co-author of the EU Master's Program in cybersecurity. In cooperation with OSCE, he trained the Cyberpolice of Ukraine and shared the ransomware counteraction results with Europol. Alexander has spoken at various security conferences and workshops such as Virus Bulletin Conference, Virus Analyst Summit, OpenStack Summit, OWASP, and BSides events.

@Alex_Ad

Back to VB2022 Programme page

Other VB2022 papers

The threat is stronger than the execution: realities of hacktivism in the 2020s

VB2022 paper: The threat is stronger than the execution: the realities of hacktivism in the 2020s

Uncovering a broad criminal ecosystem powered by one of the largest botnets, Glupteba

VB2022 paper: Uncovering a broad criminal ecosystem powered by one of the largest botnets, Glupteba

Zeroing in on XENOTIME: analysis of the entities responsible for the Triton event

VB2022 paper: Zeroing in on XENOTIME: analysis of the entities responsible for the Triton event

Prilex: the pricey prickle credit card complex

VB2022 paper: Prilex: the pricey prickle credit card complex

Exploit archaeology: a forensic history of in-the-wild NSO Group exploits

VB2022 paper: Exploit archaeology: a forensic history of in-the-wild NSO Group exploits

Hunting the Android/BianLian botnet

VB2022 paper: Hunting the Android/BianLian botnet

EvilPlayout: attack against Iran’s state TV and radio broadcaster

VB2022 paper: EvilPlayout: attack against Iran’s state TV and radio broadcaster

Russian wipers in the cyberwar against Ukraine

VB2022 paper: Russian wipers in the cyberwar against Ukraine

War of the worlds: a study in a ransomware IR learnings & victories

VB2022 paper: War of the worlds: a study in a ransomware IR learnings & victories

Script kiddy on the deep & dark web: looks serious? But empty suit!

VB2022 presentation: Script kiddy on the deep & dark web: looks serious? But empty suit!

SHAREM: shellcode analysis framework with emulation, a disassember, and timeless debugging

VB2022 paper: SHAREM: shellcode analysis framework with emulation, a disassember, and timeless debugging

Combating control flow flattening in .NET malware

VB2022 paper: Combating control flow flattening in .NET malware

(Encryption) time flies when you're having fun: the case of the exotic BlackCat ransomware

VB2022 paper: (Encryption) time flies when you're having fun: the case of the exotic BlackCat ransomware

Sha Zhu Pan: cocktail of cryptocurrency, social engineering and fake apps targeting Android and iPhone users

VB2022 paper: Sha Zhu Pan: cocktail of cryptocurrency, social engineering and fake apps targeting Android and iPhone users

Web3 + scams = it's a match!

VB2022 paper: Web3 + scams = it's a match!

Operation Dragon Castling: suspected APT group hijacks WPS Office updater to target East Asian betting companies

VB2022 paper: Operation Dragon Castling: suspected APT group hijacks WPS Office updater to target East Asian betting companies

Scarcuft's information-gathering activities

VB2022 paper: Scarcuft's information-gathering activities

Unmasking WindTape

VB2022 paper: Unmasking WindTape

Tracking the entire iceberg - long-term APT malware C2 protocol emulation and scanning

VB2022 paper: Tracking the entire iceberg - long-term APT malware C2 protocol emulation and scanning

Lazarus & BYOVD: evil to the Windows core

VB2022 paper: Lazarus & BYOVD: evil to the Windows core

Keeping up with the Emotets: configuration extraction and analysis

VB2022 paper: Keeping up with the Emotets: configuration extraction and analysis

Exploiting COVID-19: how threat actors hijacked a pandemic

VB2022 paper: Exploiting COVID-19: how threat actors hijacked a pandemic

The long arm of the prisoner: social engineering from Kenyan prisons

VB2022 paper: The long arm of the prisoner: social engineering from Kenyan prisons

CTA TIPS "What if"

VB2022 CTA Threat Intelligence Practitioners' Summit presentation: "What if"

CTA TIPS Finding IOCs in unexpected places

VB2022 CTA Threat Intelligence Practitioners' Summit presentation: Finding IOCs in unexpected places

CTA TIPS Threat intelligence sharing in practice – lessons learned from the Cyber Threat Alliance

VB2022 CTA Threat Intelligence Practitioners' Summit presentation: Threat intelligence sharing in practice – lessons learned…

CTA TIPS A Vulcan mindmeld: from your mind to my mind

VB2022 CTA Threat Intelligence Practitioners' Summit presentation: A Vulcan mindmeld: from your mind to my mind

CTA TIPS From threat intelligence to active defence based on Industroyer.V2

VB2022 CTA Threat Intelligence Practitioners' Summit presentation: From threat intelligence to active defence based on…

CTA TIPS Fireside chat: IMAGINE - changing the narrative in threat intelligence collaboration

VB2022 CTA Threat Intelligence Practitioners' Summit presentation: Fireside chat: IMAGINE - changing the narrative in threat…

CTA TIPS Enhanced threat intelligence for runtime detection

VB2022 CTA Threat Intelligence Practitioners' Summit presentation: Enhanced CTI with runtime memory forensics

CTA TIPS Tips for vetting and generating value in automated TI

VB2022 CTA Threat Intelligence Practitioners' Summit presentation: Tips for vetting and generating value in automated TI

CTA TIPS Closing keynote

VB2022 CTA Threat Intelligence Practitioners' Summit presentation: Closing keynote

The ATT&CK DarkHotel playbook: hunt and breach & attack simulation

VB2022 paper: The ATT&CK DarkHotel playbook: hunt and breach & attack simulation

Building resilience through threat intelligence (partner presentation)

VB2022 presentation: Building resilience through threat intelligence (partner presentation)

Workshop: Modern threat hunting

VB2022 workshop led by VirusTotal

Keynote: Why are you telling me this?

VB2022 keynote address: Why are you telling me this?

You OTA know: combating malicious Android system updaters

VB2022 paper: You OTA know: combating malicious Android system updaters

Creepy things that glow in the dark: a deep look at POLONIUM's undocumented tools

VB2022 paper: Creepy things that glow in the dark: a deep look at POLONIUM's undocumented tools

Lessons learned from 6 LAPSUS$ incident (responses)

VB2022 paper: Lessons learned from 6 LAPSUS$ incident (responses)

Your own personal Panda: inside the CVE-2022-1040 attack

VB2022 paper: Your own personal Panda: inside the CVE-2022-1040 attack

Operation MINAZUKI: underwater invasive espionage

VB2022 paper: Operation MINAZUKI: underwater invasive espionage

Good-bye macros: peeking into a threat landscape without Office macros

VB2022 paper: Good-bye macros: peeking into a threat landscape without Office macros

The impact of mobile networks on the 2022 Russian invasion of Ukraine

VB2022 paper: The impact of mobile networks on the 2022 Russian invasion of Ukraine

Not Safe for Windows (NSFW): a China-based threat with a lot to say

VB2022 paper: Not Safe for Windows (NSFW): a China-based threat with a lot to say

An inconvenient truth about Apple security updates

VB2022 paper: An inconvenient truth about Apple security updates

We have placed cookies on your device in order to improve the functionality of this site, as outlined in our cookies policy. However, you may delete and block all cookies from this site and your use of the site will be unaffected. By continuing to browse this site, you are agreeing to Virus Bulletin's use of data as outlined in our privacy policy.