SentinelOne discusses the rise of data-wiping malware

Varying levels of preparation

The researchers also brought up the question of whether the uses were random or tactical. Believing that Russians are incredibly well organized and deploying their data-wiping malware coordinated with kinetic attacks, for example, is giving them too much credit, according to Guerrero-Sade.

The earliest data SentinelOne had came from ESET and dates to October 2021, which speaks to the level of preparation. There is some tooling that suggests that some of it had already been sitting around, the researchers said, while others were thrown together to try and support the war effort.

While examining the Linux side of attacks, they observed a decent amount of obfuscation. Attacks weren't just deleting directories and discs, but also purging memory.

However, after deobfuscating, they found the main logic was simple.

"You can complain as much as you want about Windows, but this is a 200-line script that can just break a Linux system," Guerrero-Saade said.

From their perspective, on the Linux side, Hegel said it appears the malware and tools were slammed together. Guerrero-Saade also brought up the possibility that it could be a statement to how bad Linux security is and that they just didn't catch it before.

Reality versus expectations

One concern among the infosec community that stemmed from the war was the possibility of spillover attacks, similar to the effects of NotPetya, a series a malware attacks that hit Ukraine in 2017.

To spread HermeticWiper, a wormable component ESET dubbed HermeticWizard was deployed. Guerrero-Saade emphasized the importance of not drawing unnecessary correlations from HermeticWizard to NotPetya.

"We are sort of expecting to see the same thing, these wipers that are going to spread themselves all over the place, but we have seen not what I would call 'restraint,' but some sort of operational decision to not let things spread like wildflower," Guerrero-Saade said during the session. "Instead, they used these accesses in more contained ways."

While unsuccessful the second time around, the researchers found it particularly interesting to see the return of Industroyer, called Industroyer2 by ESET. The malware took down Ukraine's power grid in 2016.

Another reality was how quickly new developments occurred. Every week, the researchers observed new targets and new malware. Keeping track of those threats and the reality of what was happening on the ground proved difficult. For example, who was telling the truth? That became increasingly difficult after the invasion, with hacktivists such as Conti, who initially publicly supported Russia.

Guerrero-Saade said it was an interesting shift from what they see as the norm in the threat landscape.

Hegel told SearchSecurity that, while a lot of Russian cyber attacks against Ukraine have been successful, there have been a lot of misses as well. One example was PartyTicket, which did not work for ransomware as intended.

"They were going crazy trying to get into Ukrainian media and telecom organizations, slamming them with mass phishing attempts. But it was a spray-and-pray [approach], and it was poorly done," Hegel said.

During the session, the researchers applauded Ukraine's CERT-UA for providing up-to-date alerts, which they said made a massive difference to the global perceptions to what was happening. It also enabled threat researchers to dive in and examine.

"A lot of people don't talk about this, but the industry as a whole relied on those alerts to get early insight into activity," Guerrero-Saade said during the session.

Going forward, Hegel said there is so much unknown. He also brought up the potential for increased activity moving into winter.

Another possibility Guerrero-Saade addressed to SearchSecurity is that Russia may attack Western European nations that have supported Ukraine and moved away from Russia as a major supplier of oil and gas.

Security news editor Rob Wright contributed to this report.