Skip to content

Ukraine attacked by data wiping malware as Russian troops breach border

  • by
  • 3 min read

As Russian troops and armoured vehicles begin moving into Ukrainian territory, cybersecurity firms have found novel data wiping malware to attack Ukrainian government agencies and banks. 

Wednesday morning, banks and government agencies were hit with a DDoS attack once again following the DDoS attacks on Ukraine’s Ministry of Defence, Armed Forces, and two state-owned banks on February 15. However, this time around, cybersecurity firms Symantec and ESET report that a new destructive data-wiping malware was also used in the attacks. 

Additionally, Twitter accounts posting videos of Russian troops in Ukraine were suspended from the platform. These accounts were sharing videos from the eastern Donbas and Luhansk regions of Russian helicopters heading towards Crimea and tank divisions moving to the Ukrainian border. 

In the News: 9 spyware apps are haunting 400,000 phones worldwide

All out war on Ukraine

A data wiping malware is quite similar to ransomware, except it’s only interested in making data unrecoverable, causing the infected computer’s operating system to stop working. Symantec tweeted the hash of the malware, which is currently only being detected by 28 of the 71 security engines on VirusTotal

ESET also posted a Twitter thread containing a technical analysis of the novel malware, pointing out that it’s detected as Win32/KillDisk.NCV was deployed on hundreds of Ukrainian networks following the DDoS attacks as of Wednesday. 

ESET also reported that while the malware was used recently, it was compiled in late December 2021, indicating that the attack might have been planned for some time. The malware seems to have been signed by Chengdu Yiwo Tech Development Co. Ltd., owners of the Easus data recovery and disk management software. 

Upon execution, the malware installs itself as a new Windows service with strings inside the drivers indicating belongingness to the Easeus Partition Manager software. Since at least one of the attacks were deployed directly from the Windows domain controller, there’s a chance that the threat actors might have had access to the networks for quite some time. 

Twitter suspends accounts posting Russian troop movements

As the conflict between Russia and Ukraine intensifies, researchers sharing primary material taken from social media, otherwise known as open-source intelligence or OSINT, are getting their Twitter accounts suspended out of the blue.

OSINT researcher Kyle Glen had his account suspended for 12 hours according to his tweets and a post shared by Coupsure, an OSINT organisation. Another security analyst, Oliver Alexander, also claimed to have his account suspended twice in 24 hours. Other OSINT accounts like Neurone Intelligence, Mundo en Conflicto and Notícias e Guerras were also affected. 

Social Media disinformation campaigns are a tool previously used by Russia during its annexation of Crimea, and Ukraine’s supporters are worried about these suspensions being a similar tactic, benefiting the Russian military currently in the region. However, Twitter spokesperson Elizabeth Busby said that the actions taken were in error and not part of a coordinated campaign. 

In the News: IRS rolls out a temporary authentication system following biometric row

Yadullah Abidi

Yadullah Abidi

Yadullah is a Computer Science graduate who writes/edits/shoots/codes all things cybersecurity, gaming, and tech hardware. When he's not, he streams himself racing virtual cars. He's been writing and reporting on tech and cybersecurity with websites like Candid.Technology and MakeUseOf since 2018. You can contact him here: