WhisperGate

Malware updated an hour ago (2024-11-21T11:32:01.515Z)

Download STIX

Preview STIX

WhisperGate is a malicious software (malware) deployed by Unit 29155 cyber actors, known for their extensive use of this malware, particularly against Ukraine. The malware corrupts a system's master boot record, displays a fake ransomware note, and encrypts files based on specific file extensions. The deployment process involves two stages: stage1.exe and stage2.exe. WhisperGate is not exclusive to Unit 29155, as it has been used by other groups as well. It has also been associated with another malware called WhisperKill, which destroys files with specific extensions. The GRU Unit 29155 cyber actors began deploying the destructive WhisperGate malware against multiple Ukrainian victim organizations as early as January 13, 2022. Shortly after one such deployment, the actors exfiltrated data to mega[.]nz using Rclone. The Discord accounts associated with the WhisperGate campaign are categorized into three main clusters, labeled as Clusters 1, 2, and 3. A Cybersecurity Advisory provides tactics, techniques, and procedures (TTPs) associated with Unit 29155 cyber actors during and after their deployment of WhisperGate against Ukraine. In addition to WhisperGate and other incidents against Ukraine, Unit 29155 cyber actors have conducted computer network operations against numerous members of the North Atlantic Treaty Organization (NATO) in Europe and North America, as well as countries in Europe, Latin America, and Central Asia. Detailed technical analysis of the WhisperGate malware was conducted on samples collected from one victim, and further information is available in the joint advisory, "Destructive Malware Targeting Organizations in Ukraine," published on February 26, 2022.

Description last updated: 2024-11-21T10:45:44.872Z

What's your take? (Question 1 of 5)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.

Alias Description	Votes
Whisperkill is a possible alias for WhisperGate. WhisperKill, also known as ShadyLook, is a destructive malware downloaded by another malicious software called WhisperGate (or PayWipe). As part of the broader family of wiper malware that includes DoubleZero, HermeticWiper, IsaacWiper, WhisperGate, CaddyWiper, and AcidRain, it is designed to exploi	3

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Malware

Ransomware

Wiper

Ukrainian

Russia

Ukraine

Blizzard

Windows

Apt

Government

Microsoft

Analyst Notes & Discussion

Be the first to leave your mark here! Log in to share your views and vote.

Associated Malware

To see the evidence that has resulted in these malware associations, create a free account

Alias Description	Association Type	Votes
The HermeticWiper Malware is associated with WhisperGate. HermeticWiper is a destructive malware that was first disclosed by cybersecurity researchers on February 23, 2022. This malicious software was deployed against organizations in Ukraine, with the intent of destroying computer systems and rendering them inoperable. The malware infiltrates systems thro	Unspecified	4
The CaddyWiper Malware is associated with WhisperGate. CaddyWiper is a destructive malware, a type of malicious software designed to exploit and damage computer systems. It was one of several malwares deployed against Ukraine starting in January 2022 by the Russian Advanced Persistent Threat (APT) group, alongside others such as WhisperGate, HermeticWip	Unspecified	4
The Isaacwiper Malware is associated with WhisperGate. IsaacWiper is a malicious software (malware) that has been identified as part of a series of cyberattacks against Ukraine in 2022. The malware is known to exploit and damage computer systems, often infiltrating them through suspicious downloads, emails, or websites. Once inside, IsaacWiper can disru	Unspecified	4
The Acidrain Malware is associated with WhisperGate. AcidRain is a malicious software, or malware, that was first described in March, following a cyberattack that disrupted approximately 10,000 satellite modems associated with communications provider Viasat's KA-SAT network. The malware was discovered by cybersecurity firm SentinelOne in February 2022	Unspecified	2
The NotPetya Malware is associated with WhisperGate. NotPetya, a destructive malware posing as ransomware, was unleashed in 2017, causing widespread global damage while primarily targeting Ukraine's infrastructure. The cyberattack, commonly attributed to Russia, was so devastating that it led many to consider it an act of cyberwar, despite no official	Unspecified	2
The Doublezero Malware is associated with WhisperGate. DoubleZero is a form of malware, specifically classified as a "wiper," that was discovered by CERT-UA on March 17th, 2022. Like other malicious software, it can infiltrate systems through suspicious downloads, emails, or websites, often without the user's knowledge. Unlike most malware, however, Dou	Unspecified	2

Associated Threat Actors

To see the evidence that has resulted in these threatActor associations, create a free account

Alias Description	Association Type	Votes
The Cadet Blizzard Threat Actor is associated with WhisperGate. Cadet Blizzard, a Russian threat actor, has emerged as a significant cybersecurity concern. Identified by the Microsoft Threat Intelligence Center in June 2023, Cadet Blizzard is linked to Russia's GRU military intelligence unit and has been operational since at least 2020. The group has demonstrate	Unspecified	4
The Nodaria Threat Actor is associated with WhisperGate. Nodaria (UAC-0056), a Russia-sponsored threat actor, has been active since at least March 2021, primarily targeting Ukraine but also known to have targeted entities in Kyrgyzstan and Georgia. Initially relatively unknown, Nodaria's activities escalated significantly following the Russian invasion of	Unspecified	2

Source Document References

Information about the WhisperGate Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source Link	CreatedAt	Title
CISA	3 months ago	Russian Military Cyber Actors Target US and Global Critical Infrastructure
Checkpoint	2 months ago	9th September – Threat Intelligence Report - Check Point Research
DARKReading	2 months ago	Feds Warn on Russia Targeting Critical Infrastructure
InfoSecurity-magazine	2 months ago	US and Allies Accuse Russian Military of Destructive Cyber-Attacks
Flashpoint	2 months ago	Five Russian GRU Officers and One Civilian Charged for Conspiring to Hack Ukrainian Government
Securityaffairs	2 months ago	Russia-linked GRU Unit 29155 targeted critical infrastructure
CISA	3 months ago	FBI, CISA, NSA, and US and International Partners Release Advisory on Russian Military Cyber Actors Targeting US and Global Critical Infrastructure \| CISA
Securityaffairs	5 months ago	US announces a reward for Russia's GRU hacker behind attacks on Ukraine
BankInfoSecurity	5 months ago	Russian Indicted for Wiper Malware Campaign Against Ukraine
InfoSecurity-magazine	5 months ago	US Charges Russian Individual for Pre-Invasion Ukraine Hack
Securityaffairs	7 months ago	Previously unknown Kapeka backdoor linked to Sandworm APT
Securityaffairs	a year ago	Russia-linked APT Sandworm was inside Ukraine telecoms giant Kyivstar for months
Securityaffairs	2 years ago	New Graphiron info-stealer used in attacks against Ukraine
MITRE	2 years ago	Ukraine: Disk-wiping Attacks Precede Russian Invasion
CERT-EU	a year ago	Modded Cisco switch stymies Russian electricity grid attacks
CERT-EU	a year ago	Advanced threat predictions for 2024 – GIXtools
Securelist	a year ago	Kaspersky Security Bulletin: APT predictions 2024
Securityaffairs	a year ago	Russian Sandworm disrupts power in Ukraine with a new OT attack
CERT-EU	a year ago	New BiBi-Linux wiper malware targets Israeli orgs in destructive attacks
Securityaffairs	a year ago	Russia-linked Sandworm APT compromised 11 Ukrainian telecommunications providers