Overview of the 9 Distinct Data Wipers Used in the Ukraine War

Editor’s Note: The following post is an excerpt of a full report. To read the entire analysis, click here to download the report as a PDF.

This report serves as a high-level comparative overview of the 9 wipers analyzed by Insikt Group in association with the ongoing Ukraine/Russia war. It is meant to provide insight into the similarities and differences between the tools and the geopolitical implications of their development and usage. The intended audience of this report is those looking for a high-level technical overview of the wipers. Sources used include reverse engineering tools, OSINT, the Recorded Future® Platform, and PolySwarm.

Executive Summary

While the Ukraine/Russia war is primarily a kinetic conflict, several destructive data wipers targeting Ukrainian entities emerged in the immediate lead-up to and during the first 2-plus months of the war, bringing the conflict to cyberspace. The 9 wipers analyzed by Insikt Group had the same high-level destructive goal but differed in technical implementation and the operating systems they targeted, suggesting that each was a distinct tool, possibly created by different authors. Over time, the wipers also became more simplistic at a technical level, including reductions in the number of stages, the existence of obfuscation, and attempts to masquerade as ransomware, though none were at the level of sophistication of some other known Russian state-sponsored malware.

The wiper deployment activity aligns with prior Russian state-sponsored cyber operations against Ukraine as well as other nations; these efforts often occur before and during active conflict and are likely intended to act as a “force multiplier” for Russian military operations. Ongoing efforts to deploy disruptive cyber operations against Ukrainian targets show that the Russian government almost certainly considers such operations to be valuable, and suggest that these efforts will likely continue.

Key Judgments

• 6 of the wipers associated with the Ukraine/Russia conflict analyzed by Insikt Group all serve the same high-level destructive purpose of rendering a Windows machine inoperable; the other wipers targeted Linux systems (including satellite modems).
• The wipers do not share obvious code similarities between them and are unlikely to be iterations on, or new versions of, each other.
• HermeticWiper was the only wiper found to be distributed by a worm component, known as HermeticWizard. HermeticWizard restricted its spread to local IP addresses within the victim’s network, preventing the external distribution seen with other worm incidents like NotPetya.
• None of the wipers themselves contained any network connectivity functionality that would permit them to exfiltrate victim data further, suggesting that their purpose was targeted destruction of specific entities.

Background

There is an observable, historical pattern of entities, very likely acting in support of Russian government interests, engaging in cyber operations prior to and concurrent with Russian military operations. Such operations date back to at least August 2008 when reports describe pro-Russian hacktivists engaging in a series of sustained Distributed Denial of Service (DDoS) attacks and website defacements against a number of Georgian government, banking, media, communications, and transportation resources at approximately the same time the Russian military was launching an offensive in South Ossetia and engaging in a bombing campaign throughout Georgia. Since 2014, Russian state-sponsored advanced persistent threat (APT) groups affiliated with the Russian Main Intelligence Directorate (GRU), such as Sandworm, have consistently engaged in cyber operations against important domestic sectors in Ukraine, such as the electric power grid in both 2015 and 2016 (1, 2, as well as “utility companies, banks, airports, and government agencies” in 2017. Following the launch of Russia’s full-scale invasion and subsequent war in Ukraine, Sandworm and other likely GRU-affiliated threat activity groups again engaged in attempts to deploy cyber attacks in concert with military operations against Ukrainian entities, most recently via the deployment of a series of unsuccessful data wiping attacks. This report explores the malware, its timing, and the tactics, techniques, and procedures (TTPs) involved with these wiper attacks, and what this means for the overall conflict.