According to the ESET Research Labs, a new data wiper malware called “CaddyWiper” was launched to target Ukrainian organizations. It operates by wiping out user data and partitioning information from attached drives, but it does not erase information on domain controllers. Attackers use this technique to keep their access inside the compromised networks via Domain Controllers and, at the same time, disturb operations by targeting other crucial devices. CaddyWiper does not have code similarities to HermeticWiper or IsaacWiper, which were previously deployed in networks belonging to the government and commercial entities in Ukraine. The malware was launched on the same day it was compiled, according to the timestamp embedded in the executable file header – which can be faked. CaddyWiper was spread through Group Policy Objects (GPO), and this suggests that the hackers got control of the target’s network and domain administrator accounts before the deployment.
Since the start of 2022, Ukraine has been under heavy cyber attacks. In addition to HermeticWiper, IsaacWiper, and CaddyWiper, Microsoft discovered malware called WhisperGate, which was used for data-wiping attacks in January. According to Microsoft President and Vice-Chair Brad Smith, all these attacks against Ukrainian organizations have been precisely targeted. Recent cyberattacks contrast with the previously launched attacks before the Russian invasion. For example, the Russian GRU intelligence hacking group deployed indiscriminate malware NotPetya in Ukraine and other countries in 2017. Before the invasion, Ukrainian Security Service warned of an ongoing massive wave of hybrid warfare to spread fear in the Ukrainian society.