Ember Bear WhisperGate Ukraine Wiper
Russian GRU Cadet Blizzard destructive WhisperGate wiper malware campaign against Ukrainian government websites and critical infrastructure, preceding the February 2022 invasion. First known deployment of a wiper attributed to a distinct GRU unit separate from Sandworm.
Start date
13 January 2022
End date
—
Techniques
18
Attributed actors
Techniques (18)
command-and-control2
T1105Ingress Tool Transfer
T1071.001Web Protocols
defense-impairment1
T1070.001Clear Windows Event Logs
discovery2
T1082System Information Discovery
T1083File and Directory Discovery
execution3
T1059.003Windows Command Shell
T1059.001PowerShell
T1053.005Scheduled Task
impact4
T1485Data Destruction
T1561.001Disk Content Wipe
T1561.002Disk Structure Wipe
T1490Inhibit System Recovery
initial-access2
T1078Valid Accounts
T1566.001Spearphishing Attachment
persistence3
T1078Valid Accounts
T1547.001Registry Run Keys / Startup Folder
T1053.005Scheduled Task
privilege-escalation3
T1078Valid Accounts
T1547.001Registry Run Keys / Startup Folder
T1053.005Scheduled Task
stealth4
T1078Valid Accounts
T1140Deobfuscate/Decode Files or Information
T1070.004File Deletion
T1027Obfuscated Files or Information
Indicators of compromise
No IOCs linked to this campaign yet.