Malware, Threat Management

Russian-sponsored group Sandworm hits Ukraine with new wiper malware

Ukrainian flags displayed at a cemetery

A new wiper cyberattack attributed to SandWorm was deployed against Ukraine on Jan. 25. Dubbed SwiftSlicer, the Slovakian cybersecurity firm ESET discovered the attack levied used Active Directory Group Policy and was written in Go programming language.

Once deployed, SwiftSlicer deletes shadow companies and recursively overwrites files located in system drivers and other non-system drives before rebooting the computer. ESET researchers explained on Twitter that the wiper overwrites drives using 4096 bytes-length blocks filled with randomly generated bytes.

The ESET post contains known IOCs. Jean-Ian Boutin, ESET's director of threat research told SC Media that SwiftSlicer malware has not been seen anywhere except Ukraine. The "newly discovered Sandworm activity is in line with previous campaigns since Sandworm heavily uses different type of wipers for its operations in Ukraine."

Wiper malware variants have played a consistent role in attacks targeting Ukraine since January 2022. Prior to the Russian invasion, Microsoft uncovered a destructive wiper malware variant targeting a range of Ukrainian industries that mimicked the appearance of ransomware, but offered no functionality for ransom recovery.

But long before the Ukraine invasion, the Russian state-sponsored threat group known as Sandworm wreaked havoc across a range of sectors. Sandworm was tied to the notorious NotPetya cyberattacks deployed in 2017 that targeted the health sector and the Ukraine power grid attacks launched in 2015 and 2016.

Since early 2022, the group has actively targeted a range of Ukrainian organizations. The last detection was in November, where ESET research connected the novel .NET-based RansomBoggs ransomware variant to the group, given the use of similar tactics and dissemination.

The November campaign leveraged a PowerShell script to distribute the ransomware in a nearly identical process to the Industroyer2 malware attacks deployed in April 2022. The POWERGAP PowerShell script levied in the attacks enabled the delivery of CaddyWiper malware via the ArguePatch loader.

The Sandworm operation has also been linked to the Russia-backed Iridium, which likely executed a Prestige ransomware attack that targeted transportation and logistics organizations in both Ukraine and Poland. Both groups have remained active throughout the Ukraine war and have been tied to a number of destructive attacks since the start of the conflict.

While Russia notoriously disrupted ViaSat satellites used to support the military’s communications capabilities in February last year, the impact of cyber warfare in Ukraine has been less severe than predicted. Russia has, however, maintained a consistent presence in the form of disruptive attacks against Ukrainian entities and intelligence collection.

Jessica Davis

The voice of healthcare cybersecurity and policy for SC Media, CyberRisk Alliance, driving industry-specific coverage of what matters most to healthcare and continuing to build relationships with industry stakeholders.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.