Ukraine has come below a contemporary cyber onslaught from Russia that concerned the deployment of a beforehand undocumented Golang-based knowledge wiper dubbed SwiftSlicer.
ESET attributed the assault to Sandworm, a nation-state group linked to Navy Unit 74455 of the Foremost Intelligence Directorate of the Common Workers of the Armed Forces of the Russian Federation (GRU).
“As soon as executed it deletes shadow copies, recursively overwrites recordsdata positioned in %CSIDL_SYSTEMpercentdrivers, %CSIDL_SYSTEM_DRIVEpercentWindowsNTDS and different non-system drives after which reboots pc,” ESET disclosed in a collection of tweets.
The overwrites are achieved by utilizing randomly generated byte sequences to fill 4,096 byte-length blocks. The intrusion was found on January 25, 2023, the Slovak cybersecurity firm added.
Sandworm, additionally tracked below the monikers BlackEnergy, Electrum, Iridium, Iron Viking, TeleBots, and Voodoo Bear, has a historical past of staging disruptive and harmful cyber campaigns concentrating on organizations worldwide since no less than 2007.
The sophistication of the risk actor is evidenced by its a number of distinct kill chains, which comprise all kinds of customized instruments akin to BlackEnergy, GreyEnergy, Industroyer, NotPetya, Olympic Destroyer, Exaramel, and Cyclops Blink
In 2022 alone, coinciding with Russia’s navy invasion of Ukraine, Sandworm has unleashed WhisperGate, HermeticWiper, IsaacWiper, CaddyWiper, Industroyer2, Status, and RansomBoggs towards essential infrastructure in Ukraine.
“When you concentrate on it, the expansion in wiper malware throughout a battle is hardly a shock,” Fortinet FortiGuard Labs researcher Geri Revay stated in a report printed this week. “It may well scarcely be monetized. The one viable use case is destruction, sabotage, and cyberwar.”
The invention of SwiftSlicer factors to the constant use of wiper malware variants by the Russian adversarial collective in assaults designed to wreak havoc in Ukraine.
The event additionally comes because the Pc Emergency Response Workforce of Ukraine (CERT-UA) linked Sandworm to a latest largely unsuccessful cyber assault on the nationwide information company Ukrinform.
The intrusion, which is suspected of getting been carried out no later than December 7, 2022, entailed the usage of 5 completely different items of knowledge wiping applications, particularly CaddyWiper, ZeroWipe, SDelete, AwfulShred, and BidSwipe concentrating on Home windows, Linux, and FreeBSD methods.
“It was established that the ultimate stage of the cyber assault was initiated on January 17, 2023,” CERT-UA stated in an advisory. “Nonetheless, it had solely partial success, particularly, in relation to a number of knowledge storage methods.”
Sandworm isn’t the one group that has its eyes on Ukraine. Different Russian state-sponsored actors akin to APT29, COLDRIVER, and Gamaredon have actively focused a spread of Ukrainian organizations for the reason that onset of the struggle.