Ukraine Links Media Center Attack to Russian IntelligenceSandworm Group Hackers Used Malware Wipers to Disrupt Cybersecurity Press Briefing
Ukraine traced a cyberattack that delayed a press briefing by the nation's information protection agency Tuesday to Russian Sandworm hackers, also known as UAC-0082. The group, which is accused of using wiper malware to disrupt the Ukrainian national Media Center, has close ties to the Russian GRU, investigators say.
The attack employed five types of malware tied to Russian hackers - CaddyWiper, ZeroWipe, SDelete, AwfulShred and BidSwipe, according to investigators from the Ukrainian Computer Emergency Response Team, which conducted an investigation along with the State Service of Special Communications and Information Protection.
Ukrinform, the national news agency and media center of the country, began experiencing internet connectivity issues during the press briefing last week held by Yurii Shchyhol, head of the SSSCIP.
CERT-UA experts say the attackers made unsuccessful attempts to disrupt the normal operations of user workstations by using CaddyWiper and ZeroWipe destructive malware as well as a legitimate SDelete utility.
"At the same time, a group policy object was used for centralized malware dissemination. It enabled the creation of corresponding scheduled tasks," CERT-UA says in a statement.
Interrupted Press Briefing
Shchyhol had been about to discuss details on Russia's hybrid warfare, its aim to destroy the country's information infrastructure, and Moscow's extensive use of cyberattacks as a prelude to missile attacks on Ukrainian critical infrastructure (see: Ukraine: Russians Aim to Destroy Information Infrastructure).
All online broadcasts were interrupted for 15 minutes as a result of the cyberattack, but the SSSCIP team was able to promptly restore connections, after which the media center continued its scheduled operations.
The media center attributed the cyberattack to Russia in a statement released hours later. When the press briefing resumed, Shchyhol said that "all the Russian hackers were able to do was delay the start of our briefing for 15 minutes. Likewise, with their actions, they are delaying the end of their country. It will definitely happen in the near future."
Russian-speaking Telegram channel "CyberArmyofRussia_Reborn" claimed responsibility for the attack at noon Tuesday, just minutes after the technical issues were first experienced. CERT-UA says the Telegram channel has repeatedly posted the Sandworm group's destructive activity, in addition to typical messages about DDoS attacks and website defacement.
CERT-UA says the cyberattack was thwarted by localizing the threat promptly.
The agency also emphasizes that the cyberattack was only a partial success, specifically with regard to the limited number of data storage systems affected.
The Sandworm hackers are traditionally known to use several malware families = such as ORCSHRED, SOLOSHRED, AWFULSHRED and the most popular one, the Industroyer - to target victims.
The group is known to have targeted Ukraine's power grid in December 2016 using Industroyer malware and in April 2022 was about to repeat history with the advanced Industroyer2 variant, only to be stopped before execution (see: Russia-Linked Sandworm Attacks Ukrainian Energy Facility).
During the analysis of this attack, cybersecurity firm ESET found the deployment of CaddyWiper malware, which as the name suggests is a data wiper. ESET said Sandworm extensively used this malware to target computers running on the Windows operating system.
It also said that there were two versions of the malware. The first slows attempts to regain control to the industrial control system consoles. The second was deployed via Group Policy Object - indicating that the attackers had prior control of the target's network, ESET researchers said.
CERT-UA's initial analysis of the latest cyberattack on the media center says attackers used a similar tactic: "The CaddyWiper malicious program was launched centrally in order to violate the integrity and availability of information using GPO." This and other techniques and procedures helped CERT-UA attribute the cyberattack to UAC-0082 - the Sandworm group.
CERT-UA did not respond to Information Security Media Group's request for additional details on how long the Sandworm group had prior access to the media center's network to time the attack to occur during the news conference.