To review this article, go to My Profile, and then View Saved Stories.
To review this article, go to My Profile, and then View Saved Stories.
Andy Greenberg
Amid the tragic death toll of Russia’s brutal and catastrophic invasion of Ukraine, the effects of the Kremlin’s long crusade of destructive cyberattacks against its neighbor have been addressed, correctly, after the fact. But after a year of war, it is clear that the cyber war that Ukraine has suffered over the past year represents, in a way, the largest active virtual clash in history. Nowhere else on the planet have more samples of data destruction code been attacked in a single year.
Before the first anniversary of the invasion of Russia, cybersecurity researchers from the Slovak cybersecurity corporation ESET, as well as Fortinet and Google-owned incident reaction company Mandiant, independently discovered that in 2022, Ukraine saw many more “windshield wiper” specimens. “malware that in any previous year of Russia’s long cyber war against Ukraine, or, for that matter, any other year, anywhere. This does not necessarily mean that Ukraine has been hit harder by Russian cyberattacks than in recent years; In 2017, Russian army intelligence hackers known as the Sandcomputer virus released the massively destructive computer virus NotPetya. But the volume in development of destructive code hints at a new type of cyber warfare that accompanied Russia’s physical invasion of Ukraine, with unprecedented speed and diversity of cyberattacks.
“In terms of the number of separate wiper malware samples,” says Anton Cherepanov, senior malware researcher at ESET, “this is the most intense use of windshield wipers in the history of computing. “
Researchers say they see Russian state-sponsored hackers launching an unprecedented strain of data-destroying malware in Ukraine in a kind of Cambrian wiper blast. They saw specimens written in a wide variety of other programming languages and with other techniques to destroy the target device’s code, from corrupting partition tables used to organize databases to reusing Microsoft’s SDelete command-line tool and wholesale overwriting files with unwanted data.
In total, Fortinet counted another 16 malware “families” deleted in Ukraine over the past 12 months, up from just one or two in subsequent years, even at the height of Russia’s cyberwarfare before its full-scale invasion. not talking, like, doubling or tripling,” says Derek Manky, head of Fortinet’s risk intelligence team. “It’s an explosion, order of magnitude. ” This variety, according to the researchers, is possibly a sign of the large number of malware developers Russia has assigned to target Ukraine, or Russia’s efforts to create new variants that can stay one step ahead of Ukraine’s detection tools, especially as Ukraine has beefed up its cybersecurity defenses.
Fortinet also found that the increasing volume of deletion malware specimens affecting Ukraine may create a more global proliferation problem. As those malware samples made the impression on the VirusTotal malware repository or even the open source repository Github, Fortinet researchers say their network security teams have detected other hackers reusing those wipers against their targets in 25 countries around the world. “Once this payload is developed, anyone can take it and use it,” Manky says.
Chris Stokel-Walker
Benoit Morenne
Chris Stokel-Walker
Amanda Hoover
Despite this abundant volume of erasure malware, Russia’s cyberattacks on Ukraine in 2022 have, in some ways, given the impression of being relatively useless compared to previous years of its confrontation there. Russia has introduced repeated destructive cyber warfare campaigns against Ukraine since the 2014 revolution, all supposedly designed to weaken Ukraine’s struggle, sow chaos and make Ukraine look like a failed state to the foreign grid. From 2014 to 2017, for example, the Russian military intelligence firm GRU carried out a series of unprecedented cyberattacks: it disrupted and then attempted to usurp the effects of Ukraine’s 2014 presidential election, caused the first service outages caused by hackers, and after all, activated NotPetya, a self-replicating malware that affected Ukraine. destroying a bunch of networks at government agencies, banks, hospitals and airports before spreading around the world to cause unprecedented $10 billion in damage.
But since the beginning of 2022, Russia’s cyberattacks on Ukraine have shifted gears. Instead of masterpieces of malicious code that took months to create and deploy, as in Russia’s past attack campaigns, Kremlin cyberattacks accelerated and became fast, dirty, and dangerous attacks. Relentless, repeated and undeniable acts of sabotage.
In fact, Russia seems, to some extent, to have traded quality for quantity in its cleaning code. Most of the twelve wipers introduced in Ukraine in 2022 have been crude and undeniable in destroying their knowledge, without any of the complex self-propagation mechanisms seen in older GRU wiper equipment such as NotPetya, BadRabbit or Olympic Destroyer. In some cases, they even show symptoms of rushed coding jobs. HermeticWiper, one of the first cleanup teams to arrive in Ukraine just before the February 2022 invasion, used a stolen virtual certificate to appear valid and avoid detection, a sign of complicated pre-invasion plansArray But HermeticRansom, a variant of the same malware circle of relatives designated to look like ransomware to its victims, had careless programming errors, according to ESET. HermeticWizard, another significant tool designed to spread HermeticWiper from formula to formula, was also curiously halfway through. It was designed to infect new machines by trying to log into them with hardcoded credentials, but only tried 8 usernames and only 3 passwords: 123, Qaz123, and Qwerty123Array
Perhaps the biggest impact of all Russia’s wiper malware attacks against Ukraine in 2022 was AcidRain, a data destruction code that targeted Viasat’s satellite modems. This attack destroyed part of the Ukrainian army’s communications and even spread to outdoor satellite modems. country, disrupting the ability to monitor knowledge of thousands of wind turbines in Germany. The traditional coding needed to target the form of Linux used in those modems suggests, like the stolen certificate used in HermeticWiper, that the GRU hackers who introduced AcidRain had ready before the invasion of Russia.
But as the war progressed, and Russia seemed less and less prepared for the long-term confrontation it was mired in, its pirates resorted to shorter-term attacks, perhaps to maintain speed with a physically warfare with constant change. Front lines. By May and June, the GRU was increasingly supporting the repeated use of the CaddyWiper knowledge destruction tool, one of its simplest wiper specimens. According to Mandiant, the GRU deployed CaddyWiper five times in those two months and another 4 times in October, modifying its code enough to avoid detection through antivirus tools.
Even then, however, the explosion of new wiper variants has only continued: ESET, for example, lists Prestige, NikoWiper, Somnia, RansomBoggs, BidSwipe, ZeroWipe and SwiftSlicer as a new bureaucracy of destructive malware, disguised as ransomware, which has given the impression in Ukraine only since October.
But ESET doesn’t see this avalanche of windshield wipers as some kind of intelligent evolution, but rather as a kind of brute force approach. Russia turns out to be throwing every single imaginable destructive tool against Ukraine in an effort to stay one step ahead. of its defenders and inflict all the additional chaos it can in the midst of overwhelming physical conflict.
“You can’t say their technical sophistication is expanding or decreasing, but I would say they’re experimenting with all those other approaches,” says Robert Lipovsky, senior risk intelligence researcher at ESET. “Everyone is here and they’re looking to wreak havoc and cause disruption. “
? The latest in technology, science and more: get our lyrics!
The lie detector has never told the truth.
It’s time to fall in love with nuclear fusion, again
China relentlessly attacks its neighbors
Jonathan Majors takes credit for his bad-boy era
Amazon’s HQ2 is on pause
?? ♀️ Do you want the team to get healthy? Check out our Gear picks for fitness trackers, running gear (including shoes and socks), and headphones.
Andy Greenberg
Matt Burgess
Matt Burgess
Lily Hay Newman
Lily Hay Newman
Andy Greenberg
Dhruv Mehrotra
Andy Greenberg
More by CABLING
Contact
© 2023 Condé Nast. All rights reserved. Use of this site constitutes acceptance of our User Agreement and Privacy Policy and Cookie Statement and your California Privacy Rights. WIRED may earn a share of sales of products purchased on our site through our partner partnerships with retailers. Materials on this site may not be reproduced, distributed, transmitted, cached or otherwise used unless you have the prior written permission of Condé Nast. Ad Choices