"Five Data Wipers Attack Ukrainian News Agency"

Ukrainian cyber experts have discovered multiple pieces of destructive malware that, earlier this month, were used in an attack targeting the country’s national news agency (Ukrinform).  After being asked by Ukrinform to investigate, a team at the country’s Computer Emergency Response Team (CERT-UA) discovered five scripts, the functionality of which is aimed at violating the integrity and availability of information (writing files/disks with zero bytes/arbitrary data and their subsequent deletion).  According to the response team, the threat actors are believed to have gained unauthorized remote access to the Ukrinform network as far back as December 7, 2022, but bided their time before launching the destructive malware.  The response team noted that the five samples contain one legitimate Windows utility, SDelete.  The response team found that the attackers made an unsuccessful attempt to disrupt the regular operation of users’ computers using the CaddyWiper and ZeroWipe malicious programs, as well as the legitimate SDelete utility (which was supposed to be launched using ‘news.bat’).  The response team noted that at the same time, for the purpose of centralized distribution of malicious programs, a group policy object (GPO) was created, which, in turn, ensured the creation of corresponding scheduled tasks.  The complete list of malware/software used in the attack is CaddyWiper, ZeroWipe, AwfulShred, BidSwipe, and SDelete.  Taking into account the results of the study, the response team believes that the cyberattack was carried out by the UAC-0082 (Sandworm) group, whose activities are associated with the Russian Federation.

Infosecurity reports: "Five Data Wipers Attack Ukrainian News Agency"