ウクライナ戦争で使用された9種類のデータワイパーの概要

Editor’s Note: The following post is an excerpt of a full report. To read the entire analysis, click here to download the report as a PDF.

This report serves as a high-level comparative overview of the 9 wipers analyzed by Insikt Group in association with the ongoing Ukraine/Russia war. It is meant to provide insight into the similarities and differences between the tools and the geopolitical implications of their development and usage. The intended audience of this report is those looking for a high-level technical overview of the wipers. Sources used include reverse engineering tools, OSINT, the Recorded Future® Platform, and PolySwarm.

Executive Summary

ウクライナとロシアの戦争は主に動的な紛争ですが、戦争の直後と最初の2か月以上の間に、ウクライナのエンティティを標的としたいくつかの破壊的なデータワイパーが出現し、紛争をサイバースペースにもたらしました。 Insikt Groupが分析した9つのワイパーは、同じ高レベルの破壊的な目標を持っていましたが、技術的な実装と対象とするオペレーティングシステムが異なり、それぞれが異なるツールであり、おそらく異なる作成者によって作成されたことを示唆しています。 時間が経つにつれて、ワイパーは、ステージ数の削減、難読化の存在、ランサムウェアになりすまそうとする試みなど、技術的なレベルでもより単純化されましたが、他の既知のロシアの国家支援マルウェアほどの高度なものはありませんでした。

The wiper deployment activity aligns with prior Russian state-sponsored cyber operations against Ukraine as well as other nations; these efforts often occur before and during active conflict and are likely intended to act as a “force multiplier” for Russian military operations. Ongoing efforts to deploy disruptive cyber operations against Ukrainian targets show that the Russian government almost certainly considers such operations to be valuable, and suggest that these efforts will likely continue.

主な判断

• Insikt Groupが分析したウクライナ/ロシアの紛争に関連するワイパーのうち6つは、すべてWindowsマシンを動作不能にするという同じ高レベルの破壊的な目的を果たしています。他のワイパーはLinuxシステム(衛星モデムを含む)を対象としていました。
• ワイパーは、ワイパー間で明らかなコードの類似性を共有しておらず、互いのイテレーションや新しいバージョンである可能性は低いです。
• HermeticWiper was the only wiper found to be distributed by a worm component, known as HermeticWizard. HermeticWizard restricted its spread to local IP addresses within the victim’s network, preventing the external distribution seen with other worm incidents like NotPetya.
• ワイパー自体には、被害者のデータをさらに盗み出すためのネットワーク接続機能は含まれておらず、その目的が特定のエンティティの破壊を目的としていたことが示唆されています。

背景

There is an observable, historical pattern of entities, very likely acting in support of Russian government interests, engaging in cyber operations prior to and concurrent with Russian military operations. Such operations date back to at least August 2008 when reports describe pro-Russian hacktivists engaging in a series of sustained Distributed Denial of Service (DDoS) attacks and website defacements against a number of Georgian government, banking, media, communications, and transportation resources at approximately the same time the Russian military was launching an offensive in South Ossetia and engaging in a bombing campaign throughout Georgia. Since 2014, Russian state-sponsored advanced persistent threat (APT) groups affiliated with the Russian Main Intelligence Directorate (GRU), such as Sandworm, have consistently engaged in cyber operations against important domestic sectors in Ukraine, such as the electric power grid in both 2015 and 2016 (1, 2, as well as “utility companies, banks, airports, and government agencies” in 2017. Following the launch of Russia’s full-scale invasion and subsequent war in Ukraine, Sandworm and other likely GRU-affiliated threat activity groups again engaged in attempts to deploy cyber attacks in concert with military operations against Ukrainian entities, most recently via the deployment of a series of unsuccessful data wiping attacks. This report explores the malware, its timing, and the tactics, techniques, and procedures (TTPs) involved with these wiper attacks, and what this means for the overall conflict.