UAC-0082

UAC-0082, also identified in the provided content as Sandworm, is a destructive threat actor associated by CERT-UA with Russia’s GRU. In the cited January 2023 intrusion against Ukraine’s national news agency Ukrinform, CERT-UA attributed the attack to UAC-0082 (Sandworm) and assessed that reconnaissance of the victim environment occurred no later than 2022-12-07, with the final stage beginning on 2023-01-17. The operation aimed to disrupt integrity and availability by overwriting files and disks with zeroes or arbitrary data and then deleting them. Identified tooling included CaddyWiper and ZeroWipe for Windows, planned execution of the legitimate Sysinternals utility SDelete via a batch file (news.bat), AwfulShred for Linux, and BidSwipe for FreeBSD. The attackers attempted centralized malware distribution through a Group Policy Object that created scheduled tasks. Reported activity also included PowerShell with encoded commands, copying Windows Security event logs, DNS record enumeration with dnscmd, and icacls/takeown operations targeting explorer.exe. CERT-UA noted the attack achieved only partial success, including impact on several data storage systems. The provided content also states that the Telegram channel CyberArmyofRussia_Reborn uniquely highlights destructive activity attributed to this group in addition to DDoS and defacement claims. Known alias in the content: Sandworm.