Ukraine has come beneath a contemporary cyber onslaught from Russia that concerned the deployment of a beforehand undocumented Golang-based knowledge wiper dubbed SwiftSlicer.
ESET attributed the assault to Sandworm, a nation-state group linked to Army Unit 74455 of the Predominant Intelligence Directorate of the Basic Employees of the Armed Forces of the Russian Federation (GRU).
“As soon as executed it deletes shadow copies, recursively overwrites recordsdata positioned in %CSIDL_SYSTEMpercentdrivers, %CSIDL_SYSTEM_DRIVEpercentWindowsNTDS and different non-system drives after which reboots pc,” ESET disclosed in a collection of tweets.
The overwrites are achieved by utilizing randomly generated byte sequences to fill 4,096 byte-length blocks. The intrusion was found on January 25, 2023, the Slovak cybersecurity firm added.
Sandworm, additionally tracked beneath the monikers BlackEnergy, Electrum, Iridium, Iron Viking, TeleBots, and Voodoo Bear, has a historical past of staging disruptive and destructive cyber campaigns focusing on organizations worldwide since at the least 2007.
The sophistication of the risk actor is evidenced by its a number of distinct kill chains, which comprise all kinds of customized instruments equivalent to BlackEnergy, GreyEnergy, Industroyer, NotPetya, Exaramel, and Cyclops Blink.
In 2022 alone, coinciding with Russia’s navy invasion of Ukraine, Sandworm has unleashed WhisperGate, HermeticWiper, IsaacWiper, CaddyWiper, Industroyer2, Prestige, and RansomBoggs in opposition to essential infrastructure in Ukraine.
“When you consider it, the expansion in wiper malware throughout a battle is hardly a shock,” Fortinet FortiGuard Labs researcher Geri Revay said in a report printed this week. “It might scarcely be monetized. The one viable use case is destruction, sabotage, and cyberwar.”
The invention of SwiftSlicer factors to the constant use of wiper malware variants by the Russian adversarial collective in assaults designed to wreak havoc in Ukraine.
The event additionally comes because the Laptop Emergency Response Workforce of Ukraine (CERT-UA) linked Sandworm to a latest largely unsuccessful cyberattack on the nationwide information company Ukrinform.
The intrusion, which is suspected of getting been carried out no later than December 7, 2022, entailed using 5 totally different items of knowledge wiping applications, particularly CaddyWiper, ZeroWipe, SDelete, AwfulShred, and BidSwipe focusing on Home windows, Linux, and FreeBSD techniques.
“It was established that the ultimate stage of the cyberattack was initiated on January 17, 2023,” CERT-UA said in an advisory. “Nonetheless, it had solely partial success, specifically, in relation to a number of knowledge storage techniques.”
Sandworm will not be the one group that has its eyes on Ukraine. Different Russian state-sponsored actors equivalent to APT29, COLDRIVER, and Gamaredonhave actively focused a spread of Ukrainian organizations for the reason that onset of the warfare.