The Ukrainian Computer Emergency Response Team (CERT-UA) found a cocktail of five different data-wiping malware strains deployed on the network of the country’s national news agency (Ukrinform) on January 17th.
“As of January 27, 2023, 5 samples of malicious programs (scripts) were detected, the functionality of which is aimed at violating the integrity and availability of information (writing files/disks with zero bytes/arbitrary data and their subsequent deletion),” CERT-UA said (automated translation from Ukrainian).
The list of destructive malware deployed in the attack against Ukrinform includes CaddyWiper (Windows), ZeroWipe (Windows), SDelete (Windows), AwfulShred (Linux), and BidSwipe (FreeBSD).
Two of the five strains, ZeroWipe and BidSwipe, are either new malware or are tracked by the Ukrainians under different names than those used by anti-malware vendors.
The attackers launched the CaddyWiper malware using a Windows group policy (GPO), showing that they had breached the target’s network beforehand.
As CERT-UA found during the investigation, the threat actors gained remote access to Ukrinform’s network around December 7th and waited more than a month to unleash the malware cocktail.
