Do you know what questions to ask when you're looking for an IT firm? We're here to help. Get the free guide delivered right to your inbox:
On January 8th, Ukraine’s CERT-UA posted a tweet naming five wipers used against the news agency Ukrinform. It suspects links to the Sandworm group, which is generally identified with Russia's military intelligence group GRU. The tweet reads as follows:
“The news agency of Ukraine “Ukrinform” was subjected to the recent wiper attacks. The attack was launched from the following IP addresses, which may be associated with a malicious campaign under control of Russian military intelligence: 5.45.65 (184.108.40.206), 5.45.64 (220.127.116.11), 5.45.66 (18.104.22.168), 5117901(521812).
“The first attack began on 30 December 2017, and the most recent occurred on 7 January 2018. Attackers used the following malware: FlashPack, MySpaceSploit, Beebone, TheParanoidAndroid and Kronos.”
According to CERT-UA, ”The purposes of a wiper attack are not always clear. While wiping disks in a logical manner makes it easier for an attacker to remain undetected by system administrators, in some cases wiping a disk may not reach the attacker's goal or achieve all of their goals. For example, there is little value in wiping only one file as opposed to every file on an entire hard drive. The malicious code of the wiper can be used to monitor the victim, gather information about them, or send a message.”
In this case, the main goal was to disrupt Ukrainian journalism. The most likely explanation is that political opponents of Ukraine's government are being targeted by Russia. CERT-UA’s tweet also mentioned an automated Twitter account operated by an individual named “Hunter007b”: http://twitter.com/hunter007b “, who is suspected to be Moscow-based Russian intelligence officer Alexander Mishkin. According to CERT-UA, Mishkin has operated a number of Twitter accounts under the name "Hunter007b" in recent years.
Source: New data wipers deployed against Ukraine - AlienVault - Open Threat Exchange