Cyber Incident Victim: Media Center Ukraine
Date:
Jan 2023
Location:
Ukraine
Summary
A cyberattack attributed to the Russian GRU-linked Sandworm group (UAC-0082) targeted Media Center Ukraine — Ukrinform, disrupting online broadcasts during a press briefing by deploying destructive malware including CaddyWiper, ZeroWipe, SDelete, AwfulShred, and BidSwipe. The attackers used Group Policy Objects for centralized distribution, attempting to destroy data across Windows, Linux, and FreeBSD systems, but achieved only partial success by affecting limited storage systems. The incident caused a 15-minute interruption before services were restored, with the Russian-aligned "CyberArmyofRussia_Reborn" Telegram channel claiming responsibility. Ukrainian CERT-UA investigators confirmed Sandworm's involvement based on malware signatures, TOR relay infrastructure, and prior reconnaissance activities.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 3 motives | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 2 actors | Available to members | Available to members |
Description
On January 17, 2023, Media Center Ukraine — Ukrinform experienced a cyberattack during a live press briefing conducted by Yurii Shchyhol, head of Ukraine’s State Service for Special Communications and Information Protection (SSSCIP). The attack disrupted internet connectivity, forcing the interruption of all online broadcasts for approximately 15 minutes. SSSCIP technicians promptly restored network operations, allowing the media center to resume scheduled activities. Ukrainian authorities attributed the incident to Russian state-sponsored threat actors, specifically identifying the Sandworm group (tracked as UAC-0082) as the perpetrator. This group has documented ties to Russia’s GRU military intelligence agency. The attackers employed multiple destructive malware families—CaddyWiper, ZeroWipe, SDelete, AwfulShred, and BidSwipe—designed to overwrite data and disrupt system availability. Investigators from CERT-UA and SSSCIP determined the malware was deployed via Group Policy Objects (GPOs), indicating prior network compromise, with evidence suggesting reconnaissance activities occurred no later than December 7, 2022. The Russian-aligned Telegram channel "CyberArmyofRussia_Reborn" claimed responsibility for the attack minutes after the disruption began, a channel historically linked to Sandworm’s operations.
The attack targeted workstations and data storage systems within Ukrinform’s information and communication infrastructure. While the malware execution attempted mass data destruction, CERT-UA assessed the operation as only partially successful, affecting a limited number of storage systems. Forensic analysis revealed the attackers used scheduled tasks to distribute malicious payloads, including a batch script ("news.bat") to execute the legitimate Microsoft utility SDelete for file deletion. Linux and FreeBSD systems were targeted with AwfulShred and BidSwipe, respectively, demonstrating cross-platform capabilities. Indicators of compromise included file hashes (e.g., CaddyWiper variant 00782ccd65a1e03e3e74ce1e59e752926e0a050818fa195bd7e5a5b359500758), malicious scripts, and TOR relay IP addresses (e.g., 185.220.101.185) used for command-and-control infrastructure. Sandworm’s historical use of Industroyer malware against Ukrainian critical infrastructure in 2016 and 2022 provided additional attribution context. The incident occurred during a briefing focused on Russia’s hybrid warfare tactics, including cyberattacks preceding kinetic strikes on critical infrastructure. Despite temporary disruption, Ukrinform’s operational continuity was maintained, with no permanent data loss reported.