Ukraine has come beneath a contemporary cyber onslaught from Russia that concerned the deployment of a beforehand undocumented Golang-based information wiper dubbed SwiftSlicer.
ESET attributed the assault to Sandworm, a nation-state group linked to Military Unit 74455 of the Main Intelligence Directorate of the General Staff of the Armed Forces of the Russian Federation (GRU).
“Once executed it deletes shadow copies, recursively overwrites recordsdata situated in %CSIDL_SYSTEMpercentdrivers, %CSIDL_SYSTEM_DRIVE%WindowsNTDS and different non-system drives after which reboots pc,” ESET disclosed in a collection of tweets.
The overwrites are achieved through the use of randomly generated byte sequences to fill 4,096 byte-length blocks. The intrusion was found on January 25, 2023, the Slovak cybersecurity firm added.
Sandworm, additionally tracked beneath the monikers BlackEnergy, Electrum, Iridium, Iron Viking, TeleBots, and Voodoo Bear, has a historical past of staging disruptive and damaging cyber campaigns concentrating on organizations worldwide since at the very least 2007.
The sophistication of the menace actor is evidenced by its a number of distinct kill chains, which comprise all kinds of customized instruments comparable to BlackEnergy, GreyEnergy, Industroyer, NotPetya, Olympic Destroyer, Exaramel, and Cyclops Blink
In 2022 alone, coinciding with Russia’s navy invasion of Ukraine, Sandworm has unleashed WhisperGate, AirtightWiper, IsaacWiper, CaddyWiper, Industroyer2, Prestige, and RansomBoggs towards important infrastructure in Ukraine.
“When you consider it, the expansion in wiper malware throughout a battle is hardly a shock,” Fortinet FortiGuard Labs researcher Geri Revay stated in a report revealed this week. “It can scarcely be monetized. The solely viable use case is destruction, sabotage, and cyberwar.”
The discovery of SwiftSlicer factors to the constant use of wiper malware variants by the Russian adversarial collective in assaults designed to wreak havoc in Ukraine.
The growth additionally comes because the Computer Emergency Response Team of Ukraine (CERT-UA) linked Sandworm to a latest largely unsuccessful cyber assault on the nationwide information company Ukrinform.
The intrusion, which is suspected of getting been carried out no later than December 7, 2022, entailed the usage of 5 completely different items of information wiping applications, particularly CaddyWiper, ZeroWipe, SDelete, AwfulShred, and BidSwipe concentrating on Windows, Linux, and FreeBSD techniques.
“It was established that the ultimate stage of the cyber assault was initiated on January 17, 2023,” CERT-UA stated in an advisory. “However, it had solely partial success, specifically, in relation to a number of information storage techniques.”
Sandworm is just not the one group that has its eyes on Ukraine. Other Russian state-sponsored actors comparable to APT29, COLDRIVER, and Gamaredon have actively focused a variety of Ukrainian organizations for the reason that onset of the warfare.