What is wiper malware?

Wiper malware is a type of malicious software whose primary function is to permanently erase or destroy data on infected computer systems. Unlike ransomware, which encrypts data and demands a payment for its release, the goal of a wiper is purely destructive, rendering systems and data unrecoverable.

Who is the 'Sandworm' hacking group?

Sandworm, also known as APT28, is an elite cyber warfare unit of Russia's GRU military intelligence agency. It is considered one of the most aggressive and destructive state-sponsored hacking groups, attributed with major attacks like the 2015/2016 Ukrainian power grid blackouts, the 2017 NotPetya wiper, and the 2022 Viasat satellite network attack.

How has Ukraine defended itself against these cyberattacks?

Ukraine has built a formidable cyber defense through a combination of domestic expertise and unprecedented international support. This includes direct technical assistance from foreign governments, threat intelligence sharing, and deep partnerships with private cybersecurity companies like Microsoft and Google, who have helped detect threats and migrate critical services to more secure cloud environments.

Could these cyberattacks spill over and affect other countries?

Yes, and they already have. The 2017 NotPetya attack started in Ukraine but spread globally, causing an estimated $10 billion in damages to companies like Maersk, FedEx, and Merck. Similarly, the 2022 Viasat satellite attack disrupted services for thousands of users across Europe. This demonstrates that cyberattacks in a conflict zone can easily cross borders and have unintended international consequences.

The cyber front: Analyzing Russia's digital war against Ukraine

The shadow war in cyberspace

While the world watches the conventional military conflict in Ukraine, a parallel and deeply intertwined war is being waged across digital networks. Since long before the full-scale invasion in February 2022, Russia has utilized cyberspace as a key theater of operations, deploying a sophisticated arsenal of digital weapons to disrupt, degrade, and demoralize its neighbor. This campaign represents one of the most sustained and intense cyber conflicts in history, offering critical lessons on the nature of modern hybrid warfare.

The roots of this digital aggression run deep, with notable attacks dating back to at least 2014. The 2015 and 2016 BlackEnergy attacks on Ukraine's power grid were a stark warning, demonstrating for the first time that code could be used to switch off the lights in civilian homes. This was followed by the devastating 2017 NotPetya attack, a piece of malware disguised as ransomware that was, in reality, a destructive wiper. Initially targeting Ukrainian organizations through a compromised accounting software update, NotPetya quickly spread globally, inflicting billions of dollars in damages on multinational corporations and proving that digital conflicts rarely respect national borders (Source: Council on Foreign Relations).

A technical breakdown of the digital arsenal

Russia's cyber operations against Ukraine are characterized by their diversity and coordination with military objectives. The attacks have employed a range of tactics, from brute-force disruption to stealthy espionage, often using custom-built malware.

The prevalence of wiper malware

A defining feature of the conflict has been the widespread use of wiper malware—malicious code designed not to extort money, but to permanently destroy data and render systems inoperable. Just before the 2022 invasion, Ukrainian government agencies were hit by WhisperGate. On the day the invasion began, a more potent wiper known as HermeticWiper (also dubbed FoxBlade by Microsoft) was unleashed against Ukrainian government and financial institutions. It was designed to corrupt the Master Boot Record (MBR) of infected machines, making them unbootable (Source: ESET Research).

This was not an isolated incident. Throughout the conflict, a succession of wipers like IsaacWiper, CaddyWiper, and Industroyer2 have been deployed. This strategy aims to sow chaos, disrupt government and military functions, and erode public confidence.

Targeting critical national infrastructure

Perhaps the most alarming aspect of Russia's cyber strategy is its focus on critical infrastructure. Hours before the invasion, an attack on the Viasat KA-SAT satellite network crippled tens of thousands of satellite modems. This attack, attributed to the Russian GRU military intelligence agency and using malware now known as AcidRain, disrupted Ukrainian military communications at a pivotal moment. The effects also spilled over into Europe, knocking out internet access for thousands of civilians and affecting the remote monitoring of wind turbines in Germany (Source: CISA).

The energy sector has remained a prime target. In April 2022, Ukraine's Computer Emergency Response Team (CERT-UA) announced it had thwarted a major attack by the Sandworm group (a unit of the GRU) against a Ukrainian energy provider. The attackers attempted to deploy Industroyer2, a successor to the malware used in the 2016 grid attack, alongside the CaddyWiper malware to erase traces of their intrusion. The successful defense highlighted Ukraine's dramatically improved cyber resilience, bolstered by international support.

The actors behind the keyboard

Attribution in cyberspace is complex, but intelligence agencies and private threat intelligence firms have identified several Russian state-sponsored Advanced Persistent Threat (APT) groups as key players. These include:

Sandworm (APT28, a GRU unit): Known for its destructive attacks, including BlackEnergy, NotPetya, Industroyer, and the Viasat takedown.
Fancy Bear (APT28, also GRU): Primarily focused on espionage, credential harvesting, and influence operations, famous for the 2016 DNC hack.
Gamaredon (aka Armageddon): An aggressive and prolific group linked to Russia's FSB, relentlessly targeting Ukrainian government and military entities for intelligence gathering.
Cozy Bear (APT29, an SVR unit): A stealthy espionage-focused group known for the SolarWinds supply chain attack, also active in targeting entities related to Ukrainian interests.

These groups operate with distinct mandates, creating a multi-pronged assault that combines destructive attacks with persistent espionage and disinformation campaigns.

Impact assessment: A nation under digital siege

The impact of this cyber onslaught on Ukraine has been severe, affecting nearly every facet of society. Government ministries, banks, media outlets, energy companies, and telecommunications providers have all been targeted. The goal is to create a state of constant pressure, disrupt essential services, and undermine the government's ability to function and communicate with its citizens.

However, the conflict has also demonstrated the remarkable power of cyber defense. With significant assistance from allies and private sector partners like Microsoft and Google, Ukraine has managed to withstand the majority of these attacks. Microsoft's Digital Defense Reports have detailed how Russian cyberattacks were often closely synchronized with kinetic military strikes, yet Ukrainian defenders, often migrating services to the cloud, have shown incredible resilience in restoring services and fending off intruders.

The global implications are profound. The Viasat and NotPetya incidents serve as powerful reminders that cyberattacks can have unpredictable and widespread consequences. Western nations and businesses are not merely spectators; they are potential targets for espionage or spillover from destructive attacks. This has led to a heightened state of alert globally, with agencies like CISA in the United States issuing continuous "Shields Up" warnings to critical infrastructure operators.

How to protect yourself

While the primary targets are in Ukraine, the tactics, techniques, and malware used by these Russian APT groups are a threat to organizations worldwide. The conflict serves as a live-fire test bed for cyber weapons that can be repurposed. Adopting a strong defensive posture is essential.

For organizations and businesses:

Prioritize Patch Management: The NotPetya attack spread virally using the EternalBlue exploit, for which a patch was already available. Timely patching of known vulnerabilities is a foundational defense.
Implement Network Segmentation: Isolate critical systems from the rest of the network. This can contain a breach and prevent malware from spreading laterally, as NotPetya did with devastating effect.
Mandate Multi-Factor Authentication (MFA): MFA is one of the most effective controls to prevent attackers from using stolen credentials to gain initial access.
Develop and Test Incident Response Plans: Have a clear plan for what to do when an attack occurs. Crucially, maintain offline, immutable backups of critical data. Against wiper malware, restoration is the only recovery option.

For individuals:

Practice Phishing Awareness: Be vigilant about unsolicited emails or messages, especially those creating a sense of urgency related to current events. Do not click on suspicious links or open unexpected attachments.
Use Strong, Unique Passwords: Employ a password manager to create and store complex passwords for each of your online accounts.
Enable Software Updates: Keep your operating system, web browser, and other applications updated to protect against the latest known vulnerabilities.
Secure Your Connection: Using a reputable VPN service adds a vital layer of encryption, protecting your internet traffic from eavesdropping, especially when using public Wi-Fi networks.

The cyber dimension of the war in Ukraine has reshaped our understanding of international conflict. It underscores that digital defense is an inseparable part of national security and that resilience, international cooperation, and public-private partnerships are the keys to withstanding a determined digital adversary.