Amidst the tragic toll of Russia’s brutal and disastrous invasion of Ukraine, the consequences of the Kremlin’s long-running campaign of destructive cyber-attacks against its neighbors are often – rightly – discussed. But after a year of war, it is becoming clear that the cyberwar Ukraine has endured in the past year represents, by some measures, the most active digital conflict in history. Nowhere in the world has ever been targeted with more examples of data destruction code in a single year.
Ahead of the one-year anniversary of the Russian invasion, cybersecurity researchers at Slovak cybersecurity firm ESET, network security firm Fortinet, and Google-owned incident response firm Mandiant independently found that Ukraine saw significantly more “wiper” specimens in 2022. malware than in any previous year of Russia’s long-running cyber war targeting Ukraine—or, for that matter, any other year, anywhere. This does not necessarily mean that Ukraine has been hit harder by Russian cyberattacks than in recent years; in 2017 Russian military intelligence hackers known as Sandworm released the massively destructive NotPetya worm. But the growing number of destructive codes suggests that Russia’s physical invasion of Ukraine is being accompanied by a new type of cyberwar, with an unprecedented speed and variety of cyberattacks.
“In terms of the sheer number of specific wiper malware examples,” says ESET senior malware researcher Anton Cherepanov, “this is the most extreme use of wipers in the history of computing.”
Researchers say they see Russian state-sponsored hackers unleashing an unprecedented variety of data-destroying malware on Ukraine in a kind of Cambrian explosion wipers. They have found examples of wiper malware there that target not only Windows machines, but Linux devices and less common operating systems such as Solaris and FreeBSD. They saw samples written in a wide variety of different programming languages, and with different techniques to delete target machine code, from corrupting the partition tables used to organize databases to reusing Microsoft’s SDelete command line tool, to overwriting files wholesale with spam data. .
In total, Fortinet counted 16 different “families” of wiper malware in Ukraine over the past 12 months, compared to one or two in previous years, even at the height of Russia’s cyberwar before its full-scale invasion. “We’re not talking about, like, double or triple,” says Derek Manky, head of Fortinet’s threat intelligence team. “It’s an explosion, another order of magnitude.” That diversity, the researchers say, could be a sign of the sheer number of malware developers Russia has assigned to target Ukraine, or of Russia’s efforts to build new versions that can stay ahead of detection tools of Ukraine, especially since Ukraine has hardened its cyber security defenses. .
Fortinet has also discovered that the increasing number of wiper malware specimens hitting Ukraine may be causing a more global proliferation problem. As those malware samples showed up on the VirusTotal malware repository or even the Github open source code repository, Fortinet researchers say its network security tools have detected other hackers reusing those wipers against targets in 25 countries around the deep “Once that payload is developed, anyone can pick it up and use it,” says Manky.