Last week, there were a few facts that were covered in the previous post that is being continued with few more cyber attacks that has happened since. A couple of things that has been highlighted since this past week is that the war is still raging on. The verdict is that the war could end by early May when the Russian military runs out of necessary resources to continue its invasion of Ukraine, Oleksiy Arestovich, adviser to the Ukrainian president’s chief of staff claimed on Monday as quoted by Forbes. This post majorly highlights the CaddyWiper attack and attack on Russia’s defense firm Rostec which was forced to shut down its website due to a DDoS attack.
Several loud explosions were heard of downtown Kyiv early on Tuesday morning, according to the New York Times. Multiple flashes of lights were seen across the city while other spoke of their beds and windows being rattled. It is unclear what parts of the city have been hit by the attack. Its just saddening to hear and watch such innocent people dying at the cost of this war. So yesterday, the newly discovered data-destroying malware was observed in attacks targeting Ukrainian organizations and deleting data across systems on compromised networks.
ESET Research Labs explained a timeline of the previous malwares that were being deployed. The timeline has been presented below:
Its believed that CaddyWiper is being deployed in a similar fashion via GPO which points to the fact that the attackers were already having prior control of the target’s network. While designed to wipe data across Windows domains it’s deployed on, CaddyWiper will use the DsRoleGetPrimaryDomainInformation() function to check if a device is a domain controller. If so, the data on the domain controller will not be deleted. This is likely a tactic used by the attackers to maintain access inside the compromised networks of organizations they hit while still heavily disturbing operations by wiping other critical devices. [Reference]
On the other hand, Russian defense firm Rostec – a state owned aerospace and defense conglomerate had confirmed that its website had to be taken down following a DDoS attack. The company says its website has been under constant siege since late February when Russia invaded its neighbor Ukraine without provocation. Rostec claims the website was brought back online quickly and attributed the attack to Ukrainian “radicals.” Bleeping computer has also added that “The Ukrainians mentioned by Rostec as having coordinated the attack are part of the country’s newly formed IT Army, a large group of volunteers that have been targeting Russian state networks and organizations since Russia’s invasion.”
Earlier today, multiple Rostec’s domains and resources were assigned as targets for distributed denial-of-service (DDoS) attacks in the IT Army of Ukraine Telegram channel. The takedown of the website comes after the Russian government shared a list of over 17,000 IP addresses which were potentially employed in the DDoS attack. Russian organizations have been warned to defend their information security and shared guidance against such attacks.
This exchange of battle and war messages is just getting intensified and its believed that by the end of May Russia might potentially run out of its sources. CaddyWiper is the fourth data wiper malware deployed in attacks in Ukraine since the start of 2022, with ESET Research Labs analysts previously discovering two others and Microsoft a third. Such destructive attacks are part of a “massive wave of hybrid warfare,” as the Ukrainian Security Service (SSU) described them right before the war started. It also told Interfax earlier this week that “there are nonstop cyberattacks on Russian sites from abroad” and denied reports that Russia is planning to disconnect from the world wide web. Once can only witness the aftermath of head on collisions between Russia and Ukraine.
“The latest attack began at 11:30 a.m. today. Its masterminds are radicals from Ukraine.”