The Computer Emergency Response Team of Ukraine (CERT-UA) has linked a destructive malware attack targeting the country’s national news agency (Ukrinform) to Sandworm Russian military hackers. CERT-U says the cyberattack was likely carried out by the Sandworm group based on the threat actors’ tactics, which was previously linked to the Main Directorate of the General Staff of the Armed Forces of the Russian Federation (GRU). The attackers launched the CaddyWiper malware on the news agency’s systems using a Windows group policy (GPO), showing that they had breached the target’s network beforehand. Still, they failed to impact the news agency’s operations. Sandworm also used the CaddyWiper destructive malware in another failed attack from April 2022 against a large Ukrainian energy provider. The attackers tried to erase traces left by Industroyer ICS malware with the help of CaddyWiper, and other data wipers designed for Linux and Solaris systems tracked as Orcshred, Soloshred, and Awfulshred. CaddyWiper was first discovered by ESET security researchers in March 2022 when the data-destroying malware was used to delete data across the Windows domains of multiple Ukrainian organizations.
It has almost been a year since the invasion of Ukraine, and security researchers have discovered a series of new malware deployed against Ukrainian targets. These attacks have caused more global cooperation in support of Ukraine as well as a better understanding of Russian cyber capabilities and tactics. Russians have been targeting telecommunications, new agencies, and social media platforms to disrupt the flow of information within Ukraine. Although several attacks have been successful, CERT-UA has done an admirable job keeping systems operating and infrastructure intact.