28.01.2023Ravie LakshmananCyber Threat / Cyber War
Ukraine is facing a new cyber attack from Russia that involved the use of a previously undocumented Golang-based data eraser dubbed ‘Dubbed’ SwiftSlicer.
ESET attributed the attack to Sandworm, a nation-state group affiliated with military unit 74455 of the General Staff of the Armed Forces of the Russian Federation (GRU) Main Intelligence Service.
“Once executed, it deletes shadow copies, recursively overwrites files in %CSIDL_SYSTEM%\drivers, %CSIDL_SYSTEM_DRIVE%\Windows\NTDS and other non-system drives, and then restarts the computer”, ESET disclosed in a series of tweets.
The overwrites are achieved by using randomly generated sequences of bytes to fill blocks that are 4,096 bytes long. The breach was discovered on January 25, 2023, the Slovakian cybersecurity company added.
Sandworm, which also goes by the nicknames BlackEnergy, Electrum, Iridium, Iron Viking, TeleBots, and Voodoo Bear, has had a history of staging disruptive and destructive cyber campaigns targeting organizations worldwide since at least 2007.
The threat actor’s sophistication is evidenced by its multiple distinct kill chains, which include a variety of custom tools such as BlackEnergy, GreyEnergy, Industroyer, NotPetya, Olympic Destroyer, Exaramel, and Cyclops Blink
In 2022 alone, coinciding with Russia’s military invasion of Ukraine, Sandworm deployed WhisperGate, HermeticWiper, IsaacWiper, CaddyWiper, Industroyer2, Prestige, and RansomBoggs against critical infrastructure in Ukraine.
“Coming to think of it, the surge in wiper malware during a conflict is hardly a surprise,” Fortinet FortiGuard Labs researcher Geri Revay said in a report released this week. “It’s hard to monetize. The only viable use case is destruction, sabotage and cyberwar.”
The SwiftSlicer discovery points to the consistent use of Wiper malware variants by the Russian adversary collective in attacks aimed at wreaking havoc in Ukraine.
The development also comes as the Computer Emergency Response Team of Ukraine (CERT-UA) linked Sandworm to a recent largely unsuccessful cyberattack on the national news agency Ukrinform.
The intrusion, which is believed to have been carried out no later than December 7, 2022, involved the use of five different data erasing programs, namely CaddyWiper, ZeroWipe, SDelete, AwfulShred and BidSwipe, targeting Windows, Linux and FreeBSD systems .
“It was determined that the final phase of the cyber attack was initiated on January 17, 2023,” CERT-UA said in an advisory. “However, only partially successful, especially with multiple data storage systems.”
Sandworm isn’t the only group with eyes on Ukraine. Other Russian state-sponsored actors such as APT29, COLDRIVER and Gamaredon have been actively targeting a number of Ukrainian organizations since the war began.
Did you find this article interesting? follow us on Twitter and LinkedIn to read more exclusive content we publish.