Ukraine has come under a refreshing cyber onslaught from Russia that concerned the deployment of a beforehand undocumented Golang-based info wiper dubbed SwiftSlicer.
ESET attributed the assault to Sandworm, a country-condition group connected to Armed service Device 74455 of the Key Intelligence Directorate of the Basic Workers of the Armed Forces of the Russian Federation (GRU).
“When executed it deletes shadow copies, recursively overwrites data files positioned in %CSIDL_Program%drivers, %CSIDL_Program_Travel%WindowsNTDS and other non-system drives and then reboots personal computer,” ESET disclosed in a series of tweets.
The overwrites are accomplished by working with randomly created byte sequences to fill 4,096 byte-duration blocks. The intrusion was identified on January 25, 2023, the Slovak cybersecurity business included.
“Attackers deployed the SwiftSlicer wiper employing Group Coverage of Energetic Directory,” Robert Lipovsky, senior malware researcher for ESET, instructed The Hacker Information. “At the time SwiftSlicer malware is executed, it corrupts people data files and tends to make the computer system unbootable.”
Sandworm, also tracked below the monikers BlackEnergy, Electrum, Iridium, Iron Viking, TeleBots, and Voodoo Bear, has a record of staging disruptive and harmful cyber strategies concentrating on businesses worldwide considering the fact that at the very least 2007.
The sophistication of the threat actor is evidenced by its multiple distinctive get rid of chains, which comprise a extensive range of customized instruments this sort of as BlackEnergy, GreyEnergy, Industroyer, NotPetya, Olympic Destroyer, Exaramel, and Cyclops Blink
In 2022 by yourself, coinciding with Russia’s army invasion of Ukraine, Sandworm has unleashed WhisperGate, HermeticWiper, IsaacWiper, CaddyWiper, Industroyer2, Status, and RansomBoggs from vital infrastructure in Ukraine.
“When you consider about it, the expansion in wiper malware for the duration of a conflict is hardly a surprise,” Fortinet FortiGuard Labs researcher Geri Revay explained in a report posted this 7 days, describing 2022 as the 12 months of the wiper. “It can scarcely be monetized. The only viable use circumstance is destruction, sabotage, and cyberwar.”
The discovery of SwiftSlicer points to the constant use of wiper malware variants by the Russian adversarial collective in attacks designed to wreak havoc in Ukraine. It’s even further illustrative of the developing adoption of Golang by risk actors, provided its indigenous multi-platform help and relative simplicity of improvement.
The advancement also arrives as the Computer Emergency Reaction Group of Ukraine (CERT-UA) linked Sandworm to a latest largely unsuccessful cyber attack on the nationwide news agency Ukrinform.
The intrusion, which is suspected of having been carried out no later on than December 7, 2022, entailed the use of five different pieces of details wiping plans, particularly CaddyWiper, ZeroWipe, SDelete, AwfulShred, and BidSwipe concentrating on Home windows, Linux, and FreeBSD systems.
“It was proven that the ultimate stage of the cyber assault was initiated on January 17, 2023,” CERT-UA reported in an advisory. “Even so, it had only partial achievement, in particular, in relation to various knowledge storage techniques.”
Sandworm is not the only group that has its eyes on Ukraine. Other Russian state-sponsored actors these types of as APT29, COLDRIVER, and Gamaredon have actively focused a selection of Ukrainian corporations due to the fact the onset of the war.