WhisperGate

Malware updated 15 hours ago (2024-10-17T13:04:11.891Z)

Download STIX

Preview STIX

WhisperGate is a destructive malware that has been employed by threat actors since 2020, with its first known deployment against Ukrainian organizations occurring in January 2022. These actors have used the malware to damage computer systems and render them inoperable, targeting not only Ukraine but also countries worldwide supporting Ukraine. Notably, WhisperGate was deployed against Ukrainian government and critical sector organizations leading up to Russia's invasion of Ukraine in February 2022. The malware, disguised as ransomware, was designed as a cyberweapon to completely destroy target computers and related data. The individuals involved in the WhisperGate attacks are accused of using a U.S.-based company's services to distribute the malware to dozens of Ukrainian government entities' computer systems starting from January 13, 2022. Furthermore, the Federal Bureau of Investigation (FBI), in partnership with the Cybersecurity and Infrastructure Security Agency (CISA), the National Security Agency (NSA), and other U.S. and international partners, released a joint cybersecurity advisory in response to these activities. This advisory provided overlapping cybersecurity industry cyber threat intelligence, tactics, techniques, procedures (TTPs), and Indicators of Compromise (IOCs) associated with Russian General Staff Main Intelligence Directorate (GRU) 161st Specialist Training Center (Unit 29155) cyber actors, both during and succeeding their deployment of the WhisperGate malware against Ukraine. Cybereason, a cybersecurity firm, has been instrumental in protecting against WhisperGate. It has successfully detected and blocked WhisperGate, providing user notifications and UI notifications about the threat. One individual, Stigal, has been linked to WhisperGate operations against Ukrainian, NATO, and U.S. computer networks, and has allegedly conspired with others to establish accounts on a social communications platform for use in WhisperGate operations.

Description last updated: 2024-10-17T12:16:16.072Z

What's your take? (Question 1 of 5)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.

Alias Description	Votes
Whisperkill is a possible alias for WhisperGate.	2

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Malware

Wiper

Ransomware

Ukrainian

Russia

Ukraine

Blizzard

Windows

Apt

Government

Microsoft

Analyst Notes & Discussion

Be the first to leave your mark here! Log in to share your views and vote.

Associated Malware

To see the evidence that has resulted in these malware associations, create a free account

Alias Description	Association Type	Votes
The HermeticWiper Malware is associated with WhisperGate. HermeticWiper is a destructive malware that was first disclosed by cybersecurity researchers on February 23, 2022. This malicious software was deployed against organizations in Ukraine, with the intent of destroying computer systems and rendering them inoperable. The malware infiltrates systems thro	Unspecified	4
The CaddyWiper Malware is associated with WhisperGate. CaddyWiper is a destructive malware, a type of malicious software designed to exploit and damage computer systems. It was one of several malwares deployed against Ukraine starting in January 2022 by the Russian Advanced Persistent Threat (APT) group, alongside others such as WhisperGate, HermeticWip	Unspecified	4
The Isaacwiper Malware is associated with WhisperGate. IsaacWiper is a malicious software (malware) that has been identified as part of a series of cyberattacks against Ukraine in 2022. The malware is known to exploit and damage computer systems, often infiltrating them through suspicious downloads, emails, or websites. Once inside, IsaacWiper can disru	Unspecified	4
The Doublezero Malware is associated with WhisperGate. DoubleZero is a form of malware, specifically classified as a "wiper," that was discovered by CERT-UA on March 17th, 2022. Like other malicious software, it can infiltrate systems through suspicious downloads, emails, or websites, often without the user's knowledge. Unlike most malware, however, Dou	Unspecified	2
The Acidrain Malware is associated with WhisperGate. AcidRain is a malicious software, or malware, that was first described in March, following a cyberattack that disrupted approximately 10,000 satellite modems associated with communications provider Viasat's KA-SAT network. The malware was discovered by cybersecurity firm SentinelOne in February 2022	Unspecified	2
The NotPetya Malware is associated with WhisperGate. NotPetya is a malicious software (malware) that caused extensive damage worldwide in 2017. It was initially perceived as ransomware, similar to other notorious variants such as WannaCry, Petya, TeslaCrypt, DarkSide, and REvil. However, unlike typical ransomware, NotPetya was primarily destructive ra	Unspecified	2

Associated Threat Actors

To see the evidence that has resulted in these threatActor associations, create a free account

Alias Description	Association Type	Votes
The Cadet Blizzard Threat Actor is associated with WhisperGate. Cadet Blizzard, a threat actor group associated with Russia's GRU military intelligence unit, has been identified by Microsoft as the perpetrator of destructive cyber attacks in Ukraine using wiper malware. The group has been active since at least 2020 and has recently gained some success, according	Unspecified	4
The Nodaria Threat Actor is associated with WhisperGate. Nodaria (UAC-0056), a Russia-sponsored threat actor, has been active since at least March 2021, primarily targeting Ukraine but also known to have targeted entities in Kyrgyzstan and Georgia. Initially relatively unknown, Nodaria's activities escalated significantly following the Russian invasion of	Unspecified	2

Source Document References

Information about the WhisperGate Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source Link	CreatedAt	Title
Checkpoint	a month ago	9th September – Threat Intelligence Report - Check Point Research
DARKReading	a month ago	Feds Warn on Russia Targeting Critical Infrastructure
InfoSecurity-magazine	a month ago	US and Allies Accuse Russian Military of Destructive Cyber-Attacks
Flashpoint	a month ago	Five Russian GRU Officers and One Civilian Charged for Conspiring to Hack Ukrainian Government
Securityaffairs	a month ago	Russia-linked GRU Unit 29155 targeted critical infrastructure
CISA	a month ago	FBI, CISA, NSA, and US and International Partners Release Advisory on Russian Military Cyber Actors Targeting US and Global Critical Infrastructure \| CISA
Securityaffairs	4 months ago	US announces a reward for Russia's GRU hacker behind attacks on Ukraine
BankInfoSecurity	4 months ago	Russian Indicted for Wiper Malware Campaign Against Ukraine
InfoSecurity-magazine	4 months ago	US Charges Russian Individual for Pre-Invasion Ukraine Hack
Securityaffairs	6 months ago	Previously unknown Kapeka backdoor linked to Sandworm APT
Securityaffairs	9 months ago	Russia-linked APT Sandworm was inside Ukraine telecoms giant Kyivstar for months
Securityaffairs	2 years ago	New Graphiron info-stealer used in attacks against Ukraine
MITRE	2 years ago	Ukraine: Disk-wiping Attacks Precede Russian Invasion
CERT-EU	a year ago	Modded Cisco switch stymies Russian electricity grid attacks
CERT-EU	a year ago	Advanced threat predictions for 2024 – GIXtools
Securelist	a year ago	Kaspersky Security Bulletin: APT predictions 2024
Securityaffairs	a year ago	Russian Sandworm disrupts power in Ukraine with a new OT attack
CERT-EU	a year ago	New BiBi-Linux wiper malware targets Israeli orgs in destructive attacks
Securityaffairs	a year ago	Russia-linked Sandworm APT compromised 11 Ukrainian telecommunications providers
CERT-EU	a year ago	Three emerging trends currently shaping the ransomware landscape \| #ransomware \| #cybercrime \| National Cyber Security Consulting