Another Destructive Wiper Targets Organizations in Ukraine

CaddyWiper is one in a barrage of data-wiping cyber-attacks to hit the country since January as the war on the ground with Russia marches on.

Researchers have discovered yet another destructive data-wiping malware targeting organizations in Ukraine, the third to be found in as many weeks attacking systems in the country that’s currently defending itself against a Russian physical invasion.

A team from cybersecurity firm ESET on Monday uncovered the malware, which they dubbed CaddyWiper, researchers said in a blog post published Tuesday.

“The wiper, which destroys user data and partition information from attached drives, was spotted on several dozen systems in a limited number of organizations,” researchers wrote in the post. “It is detected by ESET products as Win32/KillDisk.NCX.”

Infosec Insiders Newsletter

CaddyWiper follows the spotting of HermeticWiper and IsaacWiper targeting Ukraine — though it bears no resemblance to them, researchers said.

However, similar to HermeticWiper—which was discovered on Feb. 23, the day before the Russian invasion — “there’s evidence to suggest that the bad actors behind CaddyWiper infiltrated the target’s network before unleashing the wiper,” researchers said.

Advanced Wiper Attack

The HermeticWiper attack came just hours after a series of distributed denial-of-service (DDoS) onslaughts knocked several important websites in the country offline, according to ESET. Attackers also deployed a novel trojan called FoxBlade against key Ukrainian digital infrastructure, hours before the physical invasion by Russia, Microsoft researchers reported.

While specific details about exactly how CaddyWiper works have yet to be divulged, ESET researchers took a deeper dive into HermeticWiper in a previous blog post on March 1. Evidence also has emerged that one of the HermeticWiper malware samples was compiled back on Dec. 28, signaling that the wiper attacks were primed two months before the Russian military assault.

HermeticWiper is a Windows executable with four legitimate drivers from the EaseUS Partition Master software signed by CHENGDU YIWO Tech Development Co. The drivers are embedded in the malware’s resources and implement low-level disk operations, according to ESET.

Depending on the OS version, HeremeticWiper choses one of those four drivers is and then drops it in C:\Windows\System32\drivers\<4 random letters>.sys, where it loads by creating a service.

“HermeticWiper then proceeds by disabling the Volume Shadow Copy Service (VSS) and wipes itself from disk by overwriting its own file with random bytes,” according to ESET researchers.

The HermeticWiper attack also used a custom worm dubbed HermeticWizard for propagating the wiper inside local networks, as well as HermeticRansom, a decoy ransomware used in the attack, according to ESET. A free decryptor later was released to unlock HermeticRansom, which also targeted organizations in Lithuania and Latvia.

Following the HermeticWiper attack, on the day the kinetic war began in Ukraine, cyberattackers deployed the “less sophisticated” IsaacWiper in an organization unconnected to the HermeticWiper attacks, according to ESET.

Consistent Barrage of Attacks

Even before the three wiper attacks occurred in succession, Russian-based cyber actors have been barraging Ukraine with wiper attacks, often disguised as ransomware, researchers have observed. The cyber-war occurring concurrently with the conflict on the ground is seen by many as Russia attempting to undermine Ukraine’s position as a sovereign nation from as many angles as it can.

Prior to Russia’s invasion, Ukraine was the target of a Master Boot Record (MBR) wiper attack that started Jan. 13, which was discovered and dubbed WhisperGate by Microsoft researchers. The wiper had previously been used against government systems, nonprofit organizations and IT companies in Ukraine.

In that attack, perpetrators provided a ransom note as one of several efforts to make it look like a ransomware attack. However, the attack really served to destroy MBRs and the contents of the files it targets, researchers from the Microsoft Threat Intelligence Center said at the time.

Indeed, Ukraine has been on the receiving end of a number of highly disruptive cyberattacks since 2014, according to ESET; that’s also the year a coup toppled pro-Russian President Viktor Yanukovych. Among those cyberattacks was the now-infamous NotPetya attack, which originated in the Ukraine in 2017 before spreading globally to become one of the worst cyberattacks in history.

Moving to the cloud? Discover emerging cloud-security threats along with solid advice for how to defend your assets with our FREE downloadable eBook, “Cloud Security: The Forecast for 2022.” We explore organizations’ top risks and challenges, best practices for defense, and advice for security success in such a dynamic computing environment, including handy checklists.

Suggested articles