A year of wipers: How the Kremlin-backed Sandworm has attacked Ukraine during the war

Last November, several Ukrainian organizations were targeted by a new type of ransomware called RansomBoggs. Its operators sent infected computers a ransom note written on behalf of James P. Sullivan — the main protagonist of the animated film Monsters, Inc. 

In the note Sullivan, whose job in the movie was to scare kids, asked for financial help in exchange for decrypting the organizations’ documents.

The hackers behind the attack are believed to be linked to Sandworm, a Russian nation-state threat actor working on behalf of the military intelligence agency GRU. But despite the attack wearing all the trappings of ransomware, Sandworm wasn’t out to make money — its primary goal was either to destroy Ukrainian networks or steal valuable data, according to researchers from the Slovak cybersecurity company ESET, which first spotted the RansomBoggs attack.

While Sandworm is not the Kremlin’s most important hacking group, it has perhaps become the most visible one, with an emphasis on disruptive cyberattacks. And its track record of successful attacks with a global impact – most notably the NotPetya malware and several attacks on Ukraine’s power supply – make it a grave concern to researchers.

In 2017, the group used NotPetya wiper malware disguised as ransomware to take down hundreds of networks across Ukrainian government agencies, banks, hospitals, and airports, causing an estimated $10 billion in global damage. By presenting destructive attacks as ransomware, Sandworm hackers may be trying to cover their tracks and make it more difficult for security researchers to attribute the attacks to a state-sponsored group.

In the case of the RansomBoggs attacks, the group was likely testing new techniques or training new workers on how to use their software, ESET senior malware researcher Anton Cherepanov told The Record.

Since the start of the war, Sandworm has been relentlessly targeting Ukraine with various malware strains. Some were highly sophisticated, while others contained bugs that made them easier to detect and prevent from spreading.

Researchers believe that Sandworm chose to experiment with malware in order to find strains that can bypass Ukraine's improved defenses. 

So far, it has had no major impact on its targets, cybersecurity experts and government officials say. Most of the attacks were neutralized in the initial stages, and the second blackout that researchers expected from Sandworm after they targeted the Ukrainian power supply in 2015 and 2016 never happened.

ESET attributed the majority of the disruptive wiper attacks against Ukraine last year to Sandworm. And as Ukraine and Russia prepare for a major spring offensive, the number of cyberattacks, including from Sandworm, is expected to increase.

“Russia has cyber capabilities and will continue to use them to do whatever damage it can in Ukraine,” said Robert Lipovsky, ESET's principal threat intelligence researcher.

Year of wipers

Over the past year, the Sandworm group carried out at least 30 cyberattacks on Ukrainian systems, Ukraine’s ​​State Service for Special Communications and Information Protection (SSSCIP) told The Record. Most of those incidents were wiper attacks like NotPetya, using a type of malware designed to delete or destroy data on a targeted system. Once a wiper infects a computer, it can quickly and irreversibly delete files, overwrite data, and generally make the system unusable. 

According to ESET, no country has ever been attacked by so many types of wipers in one year. 

“Russia’s hackers' goal in Ukraine is to cause disruption, and wipers are a tool to accomplish that,” Lipovsky said.

Sandworm and other hacking groups have been deploying wipers in Ukraine since the early days of the war. The day before the invasion, HermeticWiper, which is also linked to the Sandworm group, targeted hundreds of systems in at least five Ukrainian organizations. The next day, the Acid Rain wiper targeted Viasat satellite modems, which the Ukrainian government allegedly used as a backup communication channel. Researchers have also linked this campaign to Sandworm.

Sandworm has used at least 20 malware strains since Russia invaded Ukraine, according to SSSCIP. Sandworm's malware collection has expanded significantly this year, and the group can now target most operating systems used in Ukraine.

During a Sandworm attack on Ukraine’s energy company in April, the group made an unsuccessful attempt to disrupt the flow of electricity using Industroyer2 malware and regular disk wipers for Windows, Linux, and Solaris operating systems, according to ESET.

Hackers also experimented with various programming languages and methods to destroy the network. 

The group also continues to rely on previously successful techniques such as exploiting vulnerabilities in Active Directory Group Policy, a Microsoft Windows feature that allows administrators to configure settings for users and computers within an organization. By injecting their own malicious code into legitimate files used by this feature, they can gain access to a network and move laterally to potentially access sensitive information or systems.

And yet, most of the wipers detected during the war in Ukraine were “relatively simple and poorly developed,” without automatic replication or lateral movement capability, allowing hackers to compromise other parts of the system after gaining initial access.

Thus far, the group's new attacks have not justified the fears caused by their previous activity in Ukraine’s cyberspace, Cherepanov said. "The impact caused by the attacks could have been much worse," he said. "Ukrainian defenders are working very well to prevent these attacks at all stages."

Failed attempts

Sandworm's previous attacks had a profound impact on Ukraine's cybersecurity industry. Prior to the initial attacks, many Ukrainian organizations were not prepared to handle cyberattacks of any magnitude, so in response they had to bolster their defense, according to SSSCIP.

When the war began, Ukraine and its partners expected that Sandworm and other groups would try to repeat the successful attacks on Ukraine's power stations to plunge cities into darkness.

However, it was ultimately easier and more effective for Russia to damage Ukraine's power grid using conventional weapons. By November of last year, Russia had reportedly destroyed 40% of Ukraine's energy system using drones and missiles, leading to widespread blackouts throughout the country.


A damaged power station in Luhansk, Ukraine. IMAGE: State Emergency Service of Ukraine

The Ukrainian government said it was able to repel Sandworm's "most ambitious" cyberattack – the April attack on the country's electricity substations using Industroyer2, the new version of the malware first detected during the group's 2016 attack on Ukraine's power grid, which left parts of Kyiv without power for an hour.

ESET called the first Industroyer attack "the biggest threat to industrial control systems since Stuxnet,” the highly sophisticated computer worm believed to have been developed by the U.S. and Israel to target Iran's nuclear program.

Industroyer's new variant had code similarities with the original version, but used one instead of four protocols to communicate with industrial equipment, including devices used to protect electrical power systems from damage.

“Hackers tried to adapt their malware to the new environment,” Cherepanov said.

The attack was set to occur in two waves, but the Ukrainians learned of the possible compromise from unnamed “partners” the day before the incident. “We were able to identify it, fight it, and destroy it,” Victor Zhora, the deputy chief of SSSCIP, said at the time.

In October, ESET also identified a previously unknown NikoWiper, linked to Sandworm, which was used against a company in Ukraine’s energy sector. Neither ESET nor SSSCIP agreed to reveal more details about this attack.

Priorities and targets

In the year or two leading up to the full-scale invasion, Sandworm was active but mostly laying low, according to SSSCIP. Its focus was on “creating the conditions” to carry out future cyberattacks. 

For example, hackers infiltrated Ukrainian information systems and developed infrastructure that would help carry out future operations. In particular, they installed VPNFilter and Cyclops Blink, types of malware capable of infecting a wide range of routers and network devices.

The group’s attacks aim to promote Russian objectives and adapt to changing intelligence needs during the conflict, according to a recent report by Google.

Sandworm's key targets in Ukraine include government agencies, and entities in energy, media, and logistics. 

But the GRU-backed hackers also attack Ukraine’s allies. They targeted a Turkish drone manufacturer, whose systems were used by Ukraine in the early weeks of the war, and in October, Microsoft detected Prestige ransomware deployed against logistics companies in both Ukraine and Poland. 

Sandworm hackers also contribute to information operations. For example, they distribute conspiracies about Western biological weapons labs in Ukraine on their own Substack blog and through a GRU-controlled Telegram channel.

It is not yet clear whether the Sandworm hackers coordinate their cyberattacks with Russian military operations.

ESET’s Lipovsky said that achieving this coordination can be challenging because digital and physical attacks differ in nature: Cyberattacks are carried out in multiple stages, rely on social engineering, and even require some luck.

Typically, the correlation between cyberattacks and kinetic attacks is simply a matter of timing, as both types of attacks occur continuously, he added.

The NikoWiper attack, for example, happened around the same period that the Russian armed forces targeted Ukrainian energy infrastructure with missile strikes, according to ESET.

“This doesn't prove the direct coordination, but suggests that both Sandworm and the Russian armed forces have the same objectives,” researchers said.

Get more insights with the
Recorded Future
Intelligence Cloud.
Learn more.
What is Threat Intelligence
No previous article
No new articles
Daryna Antoniuk

Daryna Antoniuk

is a reporter for Recorded Future News based in Ukraine. She writes about cybersecurity startups, cyberattacks in Eastern Europe and the state of the cyberwar between Ukraine and Russia. She previously was a tech reporter for Forbes Ukraine. Her work has also been published at Sifted, The Kyiv Independent and The Kyiv Post.