Ukraine has come under a fresh cyber onslaught from Russia that involved the deployment of a previously undocumented Golang-based data wiper dubbed SwiftSlicer.
ESET attributed the attack to Sandworm, a nation-state group linked to Military Unit 74455 of the Main Intelligence Directorate of the General Staff of the Armed Forces of the Russian Federation (GRU).
“Once executed it deletes shadow copies, recursively overwrites files located in %CSIDL_SYSTEM%drivers, %CSIDL_SYSTEM_DRIVE%WindowsNTDS and other non-system drives and then reboots computer,” ESET disclosed in a series of tweets.
The overwrites are achieved by using randomly generated byte sequences to fill 4,096 byte-length blocks. The intrusion was discovered on January 25, 2023, the Slovak cybersecurity company added.
Sandworm, also tracked under the monikers BlackEnergy, Electrum, Iridium, Iron Viking, TeleBots, and Voodoo Bear, has a history of staging disruptive and destructive cyber campaigns targeting organizations worldwide since at least 2007.
The sophistication of the threat actor is evidenced by its multiple distinct kill chains, which comprise a wide variety of custom tools such as BlackEnergy, GreyEnergy, Industroyer, NotPetya, Exaramel, and Cyclops Blink.
In 2022 alone, coinciding with Russia’s military invasion of Ukraine, Sandworm has unleashed WhisperGate, HermeticWiper, IsaacWiper, CaddyWiper, Industroyer2, Prestige, and RansomBoggs against critical infrastructure in Ukraine.
“When you think about it, the growth in wiper malware during a conflict is hardly a surprise,” Fortinet FortiGuard Labs researcher Geri Revay said in a report published this week. “It can scarcely be monetized. The only viable use case is destruction, sabotage, and cyberwar.”
The discovery of SwiftSlicer points to the consistent use of wiper malware variants by the Russian adversarial collective in attacks designed to wreak havoc in Ukraine.
The development also comes as the Computer Emergency Response Team of Ukraine (CERT-UA) linked Sandworm to a recent largely unsuccessful cyberattack on the national news agency Ukrinform.
The intrusion, which is suspected of having been carried out no later than December 7, 2022, entailed the use of five different pieces of data wiping programs, namely CaddyWiper, ZeroWipe, SDelete, AwfulShred, and BidSwipe targeting Windows, Linux, and FreeBSD systems.
“It was established that the final stage of the cyberattack was initiated on January 17, 2023,” CERT-UA said in an advisory. “However, it had only partial success, in particular, in relation to several data storage systems.”
Sandworm is not the only group that has its eyes on Ukraine. Other Russian state-sponsored actors such as APT29, COLDRIVER, and Gamaredonhave actively targeted a range of Ukrainian organizations since the onset of the war.