Ukraine Suffered More Wiper Malware in 2022 Than Anywhere, Ever
Despite that sheer volume of wiper malware, Russia’s cyberattacks against Ukraine in 2022 have in some respects seemed relatively ineffective compared to previous years of its conflict there. Russia has launched repeated destructive cyberwarfare campaigns against Ukraine since the country’s 2014 revolution, all seemingly designed to weaken Ukraine’s resolve to fight, sow chaos, and make Ukraine appear to the international community to be a failed state. From 2014 to 2017, for instance, Russia’s GRU military intelligence agency carried out a series of unprecedented cyberattacks: They disrupted and then attempted to spoof results for Ukraine’s 2014 presidential election, caused the first-ever blackouts triggered by hackers, and finally unleashed NotPetya, a self-replicating piece of wiper malware that hit Ukraine, destroying hundreds of networks across government agencies, banks, hospitals, and airports before spreading globally to cause a still-unmatched $10 billion in damage.
But since early 2022, Russia’s cyberattacks against Ukraine have shifted into a different gear. Instead of masterpieces of malevolent code that required months to create and deploy, as in Russia’s earlier attack campaigns, the Kremlin’s cyberattacks have accelerated into quick, dirty, relentless, repeated, and relatively simple acts of sabotage.
In fact, Russia appears, to some degree, to have swapped quality for quantity in its wiper code. Most of the dozen-plus wipers launched in Ukraine in 2022 have been relatively crude and straightforward in their data destruction, with none of the complex self-spreading mechanisms seen in older GRU wiper tools like NotPetya, BadRabbit, or Olympic Destroyer. In some cases, they even show signs of rushed coding jobs. HermeticWiper, one of the first wiping tools that hit Ukraine just ahead of the February 2022 invasion, used a stolen digital certificate to appear legitimate and avoid detection, a sign of sophisticated pre-invasion planning. But HermeticRansom, a variant in the same family of malware designed to appear as ransomware to its victims, included sloppy programming errors, according to ESET. HermeticWizard, an accompanying tool designed to spread HermeticWiper from system to system, was also bizarrely half-baked. It was designed to infect new machines by attempting to log in to them with hardcoded credentials, but it only tried eight usernames and just three passwords: 123, Qaz123, and Qwerty123.
Perhaps the most impactful of all of Russia’s wiper malware attacks on Ukraine in 2022 was AcidRain, a piece of data-destroying code that targeted Viasat satellite modems. That attack knocked out a portion of Ukraine’s military communications and even spread to satellite modems outside the country, disrupting the ability to monitor data from thousands of wind turbines in Germany. The customized coding needed to target the form of Linux used on those modems suggests, like the stolen certificate used in HermeticWiper, that the GRU hackers who launched AcidRain had carefully prepared it ahead of Russia’s invasion.
But as the war has progressed—and as Russia has increasingly appeared unprepared for the longer-term conflict it mired itself in—its hackers have switched to shorter-term attacks, perhaps in an effort to match the pace of a physical war with constantly changing front lines. By May and June, the GRU had come to increasingly favor the repeated use of the data-destruction tool CaddyWiper, one of its simplest wiper specimens. According to Mandiant, the GRU deployed CaddyWiper five times in those two months and four more times in October, changing its code only enough to avoid detection by antivirus tools.
Even then, however, the explosion of new wiper variants has only continued: ESET, for instance, lists Prestige, NikoWiper, Somnia, RansomBoggs, BidSwipe, ZeroWipe, and SwiftSlicer all as new forms of destructive malware—often posing as ransomware—that have appeared in Ukraine since just October.
But ESET doesn’t see that flood of wipers as a kind of intelligent evolution, so much as a kind of brute-force approach. Russia appears to be throwing every possible destructive tool at Ukraine in an effort to stay ahead of its defenders and inflict whatever additional chaos it can in the midst of a grinding physical conflict.
“You can’t say their technical sophistication is increasing or decreasing, but I would say they’re experimenting with all these different approaches,” says Robert Lipovsky, ESET’s principal threat intelligence researcher. “They’re all in, and they’re trying to wreak havoc and cause disruption.”