According to the ESET Research Labs, a new data wiper malware called “CaddyWiper” was launched to target Ukrainian organizations. It operates by wiping out user data and partitioning information from attached drives, but it does not erase information on domain controllers. Attackers use this technique to keep their access inside the compromised networks via Domain Controllers and, at the same time, disturb operations by targeting other crucial devices. CaddyWiper does not have code similarities to HermeticWiper or IsaacWiper, which were previously deployed in networks belonging to the government and commercial entities in Ukraine. The malware was launched on the same day it was compiled, according to the timestamp embedded in the executable file header – which can be faked. CaddyWiper was spread through Group Policy Objects (GPO), and this suggests that the hackers got control of the target’s network and domain administrator accounts before the deployment.
By Anthony Zampino Introduction Leading up to the most recent Russian invasion of Ukraine in