우크라이나 전쟁에서 사용된 9가지 데이터 와이퍼 개요

Editor’s Note: The following post is an excerpt of a full report. To read the entire analysis, click here to download the report as a PDF.

This report serves as a high-level comparative overview of the 9 wipers analyzed by Insikt Group in association with the ongoing Ukraine/Russia war. It is meant to provide insight into the similarities and differences between the tools and the geopolitical implications of their development and usage. The intended audience of this report is those looking for a high-level technical overview of the wipers. Sources used include reverse engineering tools, OSINT, the Recorded Future® Platform, and PolySwarm.

Executive Summary

우크라이나/러시아 전쟁은 주로 물리적 충돌이지만, 전쟁 직전과 첫 두 달여 동안 우크라이나 기관을 겨냥한 여러 파괴적인 데이터 삭제기가 등장하여 사이버 공간으로 분쟁이 옮겨졌습니다. 인식트 그룹이 분석한 9개의 와이퍼는 높은 수준의 파괴 목표는 동일하지만 기술적 구현과 표적이 되는 운영 체제에서 차이가 있어 각각 다른 작성자가 만든 별개의 도구일 가능성이 있습니다. 시간이 지남에 따라 와이퍼는 단계 수 감소, 난독화, 랜섬웨어로 가장하려는 시도 등 기술적 수준에서도 더 단순해졌지만 다른 알려진 러시아 국가 지원 멀웨어의 정교함 수준에는 미치지 못했습니다.

The wiper deployment activity aligns with prior Russian state-sponsored cyber operations against Ukraine as well as other nations; these efforts often occur before and during active conflict and are likely intended to act as a “force multiplier” for Russian military operations. Ongoing efforts to deploy disruptive cyber operations against Ukrainian targets show that the Russian government almost certainly considers such operations to be valuable, and suggest that these efforts will likely continue.

주요 판단

• 인식트 그룹이 분석한 우크라이나/러시아 분쟁과 관련된 6개의 와이퍼는 모두 Windows 시스템을 작동할 수 없게 만드는 높은 수준의 파괴적인 목적을 가지고 있으며, 다른 와이퍼는 Linux 시스템(위성 모뎀 포함)을 표적으로 삼았습니다.
• 와이퍼는 서로 명백한 코드 유사성을 공유하지 않으며 서로 반복되거나 새로운 버전이 될 가능성이 낮습니다.
• HermeticWiper was the only wiper found to be distributed by a worm component, known as HermeticWizard. HermeticWizard restricted its spread to local IP addresses within the victim’s network, preventing the external distribution seen with other worm incidents like NotPetya.
• 와이퍼 자체에는 피해자 데이터를 추가로 유출할 수 있는 네트워크 연결 기능이 포함되어 있지 않았으며, 이는 와이퍼의 목적이 특정 단체의 표적 파괴였음을 시사합니다.

배경

There is an observable, historical pattern of entities, very likely acting in support of Russian government interests, engaging in cyber operations prior to and concurrent with Russian military operations. Such operations date back to at least August 2008 when reports describe pro-Russian hacktivists engaging in a series of sustained Distributed Denial of Service (DDoS) attacks and website defacements against a number of Georgian government, banking, media, communications, and transportation resources at approximately the same time the Russian military was launching an offensive in South Ossetia and engaging in a bombing campaign throughout Georgia. Since 2014, Russian state-sponsored advanced persistent threat (APT) groups affiliated with the Russian Main Intelligence Directorate (GRU), such as Sandworm, have consistently engaged in cyber operations against important domestic sectors in Ukraine, such as the electric power grid in both 2015 and 2016 (1, 2, as well as “utility companies, banks, airports, and government agencies” in 2017. Following the launch of Russia’s full-scale invasion and subsequent war in Ukraine, Sandworm and other likely GRU-affiliated threat activity groups again engaged in attempts to deploy cyber attacks in concert with military operations against Ukrainian entities, most recently via the deployment of a series of unsuccessful data wiping attacks. This report explores the malware, its timing, and the tactics, techniques, and procedures (TTPs) involved with these wiper attacks, and what this means for the overall conflict.