ESET discovers fourth data wiper malware aimed at Ukraine

A fourth variety of wiper malware and a poisoned Windows antivirus update, both aimed at Ukraine, have been found by security researchers.

The discoveries should be of concern to infosec pros watching the cyberwar between Russia and Ukraine as signs of what may be to come if the online fight spreads wider.

Data wipers

ESET, headquartered in Bratislava, Slovakia, said it found the destructive data wiper it dubs CaddyWiper early Monday morning, European time. The malware was spotted on several dozen systems in a limited number of organizations.

CaddyWiper bears no major code similarities to either HermeticWiper or IsaacWiper, the other two new data wipers found by ESET that have struck organizations in Ukraine since February 23rd, the company said.

“Much like with HermeticWiper, however, there’s evidence to suggest that the bad actors behind CaddyWiper infiltrated the target’s network before unleashing the wiper,” the researchers said. They didn’t identify the threat actor who deployed it.

Another data wiper, dubbed WhisperGate by Microsoft, hit the networks of multiple organizations in Ukraine in January.

Fake antivirus update

Also on Monday, Ukraine’s Computer Emergency Response Team warned that unnamed threat actors are distributing fake Windows antivirus updates that install Cobalt Strike and other malware.

According to Bleeping Computer, the “updates” are being sent by phishing messages that impersonate Ukrainian government agencies offering ways to increase network security. Recipients are told to download “critical security updates,” which come in the form of a 60 MB file named “BitdefenderWindowsUpdatePackage.exe.”

What actually gets downloaded is a Cobalt Strike beacon, typically used by hackers for network surveillance and communications. In this case it leads to the downloading of two backdoors onto victims’ computers.

Anonymous group strikes Russian company

On the other side, the Anonymous hactivist group has reportedly struck the German subsidiary of the Russian energy company Rosneft. Toby Lewis, global head of threat analysis at Darktrace, notes that Anonymous is backing up its claim with screenshots that show wiped corporate iPhones and at least one file server. The attackers allege weak and easily guessed iPhone passwords helped.

“The urgent challenge for defenders of critical national infrastructure globally is to be able to interrupt attacks once they get inside, before normal business operations are disrupted and before widespread shutdowns,” Lewis wrote.

Would you recommend this article?


Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.

Jim Love, Chief Content Officer, IT World Canada

Featured Download

Howard Solomon
Howard Solomon
Currently a freelance writer, I'm the former editor of and Computing Canada. An IT journalist since 1997, I've written for several of ITWC's sister publications including and Computer Dealer News. Before that I was a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times. I can be reached at hsolomon [@]

Related Tech News

Featured Tech Jobs


CDN in your inbox

CDN delivers a critical analysis of the competitive landscape detailing both the challenges and opportunities facing solution providers. CDN's email newsletter details the most important news and commentary from the channel.