The Computer Emergency Response Team of Ukraine (CERT-UA) has linked a destructive malware attack targeting the country’s National News Agency of Ukraine (Ukrinform) to Sandworm Russian military hackers.
“According to preliminary data, provided by CERT-UA specialists, the attack have caused certain destructive effects on the agency’s information infrastructure, but the threat has been swiftly localized nonetheless,” the State Service of Special Communications and Information Protection (SSSCIP) of Ukraine said.
“This enabled Ukrinform to continue its operation. Right now, CERT-UA specialists are assisting in infrastructure recovery and continuing investigation of the incident.”
CERT-U says the cyberattack was likely carried out by the Sandworm group based on the threat actors’ tactics, which was previously linked to the Main Directorate of the General Staff of the Armed Forces of the Russian Federation (GRU).
The attackers launched the CaddyWiper malware on the news agency’s systems using a Windows group policy (GPO), showing that they had breached the target’s network beforehand. Still, they failed to impact the news agency’s operations.
“Russians have been trying to cut off Ukrainians from the information on the current situation and the course of the war since the early days of the full-scale invasion,” SSSCIP Head Yurii Shchyhol said on Wednesday.
“They have shut off Ukrainian TV, the Internet and mobile communication in the territories, temporarily controlled by the enemy, and they have been striking TV and radio transmitting towers in multiple cities of Ukraine with their missiles. They have waged cyberattacks on Ukrainian media.”
Sandworm also used the CaddyWiper destructive malware in another failed attack from April 2022 against a large Ukrainian energy provider.
The attackers tried to erase traces left by Industroyer ICS malware with the help of CaddyWiper, and other data wipers designed for Linux and Solaris systems tracked as Orcshred, Soloshred, and Awfulshred.
CaddyWiper was first discovered by ESET security researchers in March 2022 when the data-destroying malware was used to delete data across the Windows domains of multiple Ukrainian organizations.
Since Russia invaded Ukraine in February 2022, security researchers have discovered a series of data-wiping malware deployed against Ukrainian targets besides CaddyWiper, including DoubleZero, HermeticWiper, IsaacWiper, WhisperKill, WhisperGate, and AcidRain.
Recent ransomware attacks against Ukraine have also been linked to the Sandworm Russian-backed threat group.
Microsoft also revealed in November that Sandworm was behind Prestige ransomware attacks that have targeted the supply chain by attacking logistics and transportation companies in Ukraine and Poland starting in October 2022.