This report serves as a high-level comparative overview of the 9 wipers analyzed by Insikt Group in association with the ongoing Ukraine/Russia war. It is meant to provide insight into the similarities and differences between the tools and the geopolitical implications of their development and usage. The intended audience of this report is those looking for a high-level technical overview of the wipers. Sources used include reverse engineering tools, OSINT, the Recorded Future® Platform, and PolySwarm.

Executive Summary

While the Ukraine/Russia war is primarily a kinetic conflict, several destructive data wipers targeting Ukrainian entities emerged in the immediate lead-up to and during the first 2-plus months of the war, bringing the conflict to cyberspace. The 9 wipers analyzed by Insikt Group had the same high-level destructive goal but differed in technical implementation and the operating systems they targeted, suggesting that each was a distinct tool, possibly created by different authors. Over time, the wipers also became more simplistic at a technical level, including reductions in the number of stages, the existence of obfuscation, and attempts to masquerade as ransomware, though none were at the level of sophistication of some other known Russian state-sponsored malware.

The wiper deployment activity aligns with prior Russian state-sponsored cyber operations against Ukraine as well as other nations; these efforts often occur before and during active conflict and are likely intended to act as a “force multiplier” for Russian military operations. Ongoing efforts to deploy disruptive cyber operations against Ukrainian targets show that the Russian government almost certainly considers such operations to be valuable, and suggest that these efforts will likely continue.

Key Judgments

• 6 of the wipers associated with the Ukraine/Russia conflict analyzed by Insikt Group all serve the same high-level destructive purpose of rendering a Windows machine inoperable; the other wipers targeted Linux systems (including satellite modems).
• The wipers do not share obvious code similarities between them and are unlikely to be iterations on, or new versions of, each other.
• HermeticWiper was the only wiper found to be distributed by a worm component, known as HermeticWizard. HermeticWizard restricted its spread to local IP addresses within the victim’s network, preventing the external distribution seen with other worm incidents like NotPetya.
• None of the wipers themselves contained any network connectivity functionality that would permit them to exfiltrate victim data further, suggesting that their purpose was targeted destruction of specific entities.

Background

Il existe un schéma historique observable selon lequel des entités, agissant très probablement dans l'intérêt du gouvernement russe, mènent des cyberopérations avant et pendant les opérations militaires russes. De telles opérations remontent au moins à août 2008, lorsque des rapports ont fait état d'hacktivistes pro-russes menant une série d'attaques par déni de service distribué (DDoS) et de défigurations de sites web contre un certain nombre de ressources gouvernementales, bancaires, médiatiques, de communication et de transport géorgiennes, à peu près au moment où l'armée russe lançait une offensive en Ossétie du Sud et menait une campagne de bombardements dans toute la Géorgie. Depuis 2014, des groupes de cyberattaques persistantes avancées (APT) soutenus par l'État russe et affiliés à la Direction principale du renseignement militaire(GRU), tels que Sandworm, ont régulièrement mené des cyberopérations contre des secteurs nationaux importants en Ukraine, tels que le réseau électrique en 2015 et 2016 (1, 2), ainsi que « des entreprises de services publics, des banques, des aéroports et des agences gouvernementales » en 2017. À la suite du lancement de l'invasion à grande échelle de la Russie et de la guerre qui s'en est suivie en Ukraine, Sandworm et d'autres groupes malveillants probablement affiliés au GRU ont de nouveau tenté de mener des cyberattaques en coordination avec les opérations militaires contre des entités ukrainiennes, plus récemment par le biais d'une série d'attaques infructueuses visant à effacer des données. Ce rapport examine le logiciel malveillant, son timing, ainsi que les tactiques, techniques et procédures (TTP) utilisées dans ces attaques de type « wiper », et ce que cela signifie pour le conflit dans son ensemble.