The single event that much of the world feared would happen as soon as Russian military forces were assembled on the borders of Ukraine and within Belarus happened during the early hours of Thursday morning. The result of the invasion has unleashed a raft of sanctions on the Russian financial system meant to hurt wealthy oligarchs who support President Vladimir Putin’s government. War, geopolitics, and related topics are not covered by this publication, however, just as the invasion began reports started emerging of Distributed Denial of Service (DDoS) attacks targeting Ukrainian banks and the country's critical infrastructure emerged.
It was later revealed by several security firms and researchers that during the attacks it also seemed that a new data wiper malware was being deployed. Data wipers, or just simply wipers, are a family of malware which destroys data stored on a machine’s hard drive.
This can be done in several ways but one of the popular methods involves corrupting the machine's Master Boot Record (MBR). It was also later revealed that the wiper was masquerading as ransomware, a tactic seen in previous NotPetya attacks which also target Ukrainian infrastructure in 2017.
Given how quickly this story has developed looking back to the build-up of the invasion and the beginning of cyberattacks in the assistance of an invasion, what has become known as hybrid warfare.
The DDoS attack on Ukrainian banks and government institutions seems to have started in earnest on February 23. The State Service of Special Communication and Information Protection (SSCIP) of Ukraine issued a statement said,
“Today, websites of several government and banking institutions have undergone a massive DDoS attack again. Some of the attacked information systems are not available or work intermittently. This is due to switching traffic to another provider to minimize damage. Other websites effectively resist the attack and work normally.
Currently, the State Service of Special Communications and Information Protection of Ukraine and other subjects of the national cybersecurity system is working on countering the attacks, collecting and analyzing information. We ask all authorities that have been attacked or are suspected to have been attacked to contact the Government Computer Emergency Response Team CERT-UA.”
However, this was not the first attack on the country this year. On January 14 reports emerged that the Ukrainian government was blaming Russia for conducting a DDoS attack on websites associated with government institutions.
According to reports approximately 70 websites had been shut down, amounting to the largest cyberattack the country had experienced in four years when the country's power grid come under extended attack. This attack was largely attributed to Russia.
On January 16, Microsoft released an article detailing that they had discovered a new data wiper, later to be called WhisperGate. The malware appeared as ransomware and was first discovered on January 13 targeting machines in Ukraine including machines belonging to multiple government, non-profit, and information technology organizations.
WhisperGate is a two-stage malware with the first stage being described by Microsoft researcher as,
“The malware resides in various working directories, including C:\PerfLogs, C:\ProgramData, C:\, and C:\temp, and is often named stage1.exe. In the observed intrusions, the malware executes via Impacket, a publicly available capability often used by threat actors for lateral movement and execution.
The two-stage malware overwrites the Master Boot Record (MBR) on victim systems with a ransom note (Stage 1). The MBR is the part of a hard drive that tells the computer how to load its operating system. The ransom note contains a Bitcoin wallet and Tox ID (a unique account identifier used in the Tox encrypted messaging protocol) that have not been previously observed by MSTIC…”
In analyzing the malware researchers soon determined that the malware is not ransomware providing several reasons as to why this is the case. Firstly, ransomware operators, especially those of today, customize the payload depending on the victim.
Secondly, Ransomware looks to encrypt file contents, not overwrite the MBR which makes data recovery all but impossible. Further, payment amounts and cryptocurrency wallet addresses are rarely specified in modern criminal ransom notes but were involving WhisperGate infections.
The same Bitcoin wallet address has been observed across all the malware campaigns intrusions and at the time of Microsoft’s analysis, the only activity was a small transfer on January 14. Researchers provided further proof as to the decoy nature of the supposed ransomware but the ones above are deemed by the writer to be the most conclusive proof.
The second stage of the malware involves a downloader, named stage2.exe, for a malicious file corrupter malware. Upon execution, stage2.exe downloads the next-stage malware hosted on a Discord channel, with the download link hardcoded in the downloader.
The next-stage malware is best described as a malicious file corrupter. Interestingly, If a file carries one of the extensions listed in the MIcrosoft article, the corrupter overwrites the contents of the file with a fixed number of 0xCC bytes (total file size of 1MB). After overwriting the contents, the destructor renames each file with a seemingly random four-byte extension.
On February 23, Eset took to Twitter to announce that it had discovered another new data wiper. The tweet read,
“Breaking. #ESETResearch discovered a new data wiper malware used in Ukraine today. ESET telemetry shows that it was installed on hundreds of machines in the country. This follows the DDoS attacks against several Ukrainian websites earlier today…We observed the first sample today around 14h52 UTC / 16h52 local time. The PE compilation timestamp of one of the sample is 2021-12-28, suggesting that the attack might have been in preparation for almost two months.”
A day later, Symantec published a report detailing how the new wiper was masquerading as ransomware. A tactic we have now seen more than once being used by Russian nation-state groups in destructive cyberwarfare campaigns.
By this point, the malware has been named KillDisk, not to be confused with the ransomware of the same name despite the masquerade, and Symantec researchers summarised its capabilities as follows,
“Trojan.Killdisk comes in the form of an executable file, which is signed by a certificate issued to Hermetica Digital Ltd. It contains 32-bit and 64-bit driver files which are compressed by the Lempel-Ziv algorithm stored in their resource section. The driver files are signed by a certificate issued to EaseUS Partition Master. The malware will drop the corresponding file according to the operating system (OS) version of the infected system. Driver file names are generated using the Process ID of the wiper Once run, the wiper will damage the Master Boot Record (MBR) of the infected computer, rendering it inoperable. The wiper does not appear to have any additional functionality beyond its destructive capabilities.”
According to the research published by Symantec, it would seem that actual ransomware is being deployed along with the data wiper but this is believed purely to be a decoy with the wiper being the main payload.
Researchers noted the similarities between the WhisperGate infections but noted in that case the malware was disguised as ransomware, not bundled with ransomware.
It is important to note that this is still a developing situation, security researchers currently do not have the whole picture so information is incredibly scarce other than what can be analyzed.
Sadly, the invasion is still ongoing and more cyber attacks are predicted to occur to assist Russian military forces in the area. While the cyberattacks can be devastating the potential for the mass loss of life wars bring is the true tragedy.