Amid the tragic toll of the brutal and disastrous Russian invasion of Ukraine, the fallout from the Kremlin’s long-running campaign of destructive cyberattacks against its neighbor has often been – rightly – treated as an afterthought. But after a year of war, it is becoming clear that the cyberwar experienced by Ukraine over the past year represents in some ways the most active digital conflict in history. Nowhere else in the world have more pieces of data-destroying code been attacked in a single year.
Ahead of the one-year anniversary of the Russian invasion, cybersecurity researchers from Slovakian cybersecurity firm ESET, network security firm Fortinet, and Google-owned incident response firm Mandiant have all independently found that Ukraine saw far more copies of Wiper in 2022. Malware than any previous year of Russia’s long-running cyberwar against Ukraine — or any other year, for that matter, wherever. This doesn’t necessarily mean that Ukraine has been hit harder by Russian cyberattacks than in years past; In 2017, Russian military intelligence hackers known as Sandworm released the massively destructive NotPetya worm. But the growing body of destructive codes points to a new type of cyberwar that has accompanied Russia’s physical invasion of Ukraine, with a pace and variety of cyberattacks that are unprecedented.
“In terms of the sheer number of different wiper malware samples,” says Anton Cherepanov, senior malware researcher at ESET, “this is the most extensive use of wipers in all of computing history.”
Researchers say they are seeing Russia’s state-sponsored hackers launch an unprecedented array of data-destroying malware at Ukraine in a Cambrian-style blast of wipers. They found Wiper malware samples there that target not only Windows machines, but also Linux devices and even rarer operating systems like Solaris and FreeBSD. You have seen instances written in a wide range of different programming languages and using various techniques to destroy target computers’ code, from corrupting the partition tables used to organize databases to repurposing Microsoft’s SDelete command-line tool to overwrite files with junk data.
Overall, Fortinet counted 16 different wiper malware “families” in Ukraine over the past 12 months, compared to just one or two in previous years, even at the height of Russia’s cyberwar before its full-scale invasion. “We’re not talking about doubling or tripling,” said Derek Manky, leader of Fortinet’s threat intelligence team. “It’s an explosion, a different magnitude.” This diversity, researchers say, could be a sign of the sheer number of malware developers Russia has hired to attack Ukraine, or of Russia’s efforts to create new variants that may be ahead of Ukraine’s detection tools, especially given that the Ukraine has hardened its cybersecurity defenses.
Fortinet also noted that the growing amount of wiper malware specimens hitting Ukraine could actually create a more global proliferation problem. Since these malware samples have appeared in VirusTotal malware repository or even Github open-source code repository, Fortinet researchers have said that their network security tools have discovered other hackers using these wipers against targets in 25 countries on the around the world. “Once this payload is developed, anyone can adopt it and use it,” says Manky.