Despite that massive amount of wiping malware, Russia’s 2022 cyberattacks on Ukraine in some ways seemed relatively ineffective compared to previous years of its conflict there. Russia has repeatedly launched destructive cyberwar campaigns against Ukraine since the 2014 revolution, all seemingly designed to weaken Ukraine’s resolve to fight, sow chaos and make Ukraine appear to the international community as a failed state. For example, from 2014 to 2017, the Russian military intelligence agency GRU carried out a series of unprecedented cyberattacks: they disrupted and then attempted to falsify the results for the 2014 presidential election in Ukraine, caused the first-ever blackouts caused by hackers, and finally unleashed NotPetya. a self-replicating piece of wiping malware that hit Ukraine, destroying hundreds of government agency networks, banks, hospitals, and airports before spreading globally, causing a still-unparalleled $10 billion worth of damage.
But since early 2022, Russian cyber attacks on Ukraine have shifted into a different gear. Instead of masterpieces of malicious code that took months to create and deploy, as in Russia’s previous attack campaigns, the Kremlin’s cyberattacks have accelerated into quick, nasty, ruthless, repeated, and relatively simple acts of sabotage.
In fact, Russia appears to have traded quality for quantity in its wiper code to some extent. Most of the more than a dozen wipers launched in Ukraine in 2022 are relatively crude and straightforward in their data destruction, lacking the complex self-propagating mechanisms seen in older GRU wiper tools such as NotPetya, BadRabbit, or Olympic Destroyer. In some cases, they even show signs of rushed coding tasks. HermeticWiper, one of the first wiping tools to hit Ukraine just before the February 2022 invasion, used a stolen digital certificate to appear legitimate and avoid detection, a sign of advanced pre-invasion planning. But HermeticRansom, a variant in the same family of malware designed to appear as ransomware to its victims, contained sloppy programming errors, according to ESET. HermeticWizard, a companion tool designed to spread HermeticWiper from system to system, was also bizarrely half-baked. It was designed to infect new machines by attempting to log into them with hard-coded credentials, but it tried only eight usernames and only three passwords: 123, Qaz123, and Qwerty123.
Perhaps the most impactful of all Russian wiper malware attacks on Ukraine in 2022 was AcidRain, a piece of data-destroying code that targeted Viasat satellite modems. That attack knocked out some of Ukraine’s military communications and even spread to satellite modems outside the country, disrupting the ability to monitor data from thousands of wind turbines in Germany. The custom coding required to target the form of Linux used on those modems, like the stolen certificate used in HermeticWiper, suggests that the GRU hackers who launched AcidRain carefully prepared it before Russia invaded.
But as the war progressed — and as Russia seemed increasingly unprepared for the protracted conflict it had found itself embroiled in — the hackers have turned to short-term attacks, perhaps trying to match the pace of a physical war with constantly shifting front lines. By May and June, the GRU had become increasingly supportive of the repeated use of the data destruction tool CaddyWiper, one of the simplest wiper instances. According to Mandiant, the GRU deployed CaddyWiper five times in those two months and another four times in October, changing the code only enough to avoid detection by antiviruses.
But even then, the explosion of new wiper variants just kept going: ESET, for example, lists Prestige, NikoWiper, Somnia, RansomBoggs, BidSwipe, ZeroWipe and SwiftSlicer as new forms of destructive malware – often masquerading as ransomware – that appeared in Ukraine since October .
But ESET doesn’t see this deluge of wipers as some kind of intelligent evolution, but rather as a kind of brute force. Russia appears to be throwing every possible destructive means at Ukraine in an effort to get ahead of its defenders and create as much chaos as possible in the midst of a harrowing physical conflict.
“You can’t say their technical sophistication is increasing or decreasing, but I would say they are experimenting with all these different approaches,” said Robert Lipovsky, ESET’s chief threat intelligence researcher. “They’re all in and they’re trying to wreak havoc and create disruptions.”
