Ukraine has come under a fresh cyber onslaught from Russia that involved the deployment of a previously undocumented Golang-based data wiper dubbed SwiftSlicer.
ESET attributed the attack to Sandworm, a nation-state group linked to Military Unit 74455 of the Main Intelligence Directorate of the General Staff of the Armed Forces of the Russian Federation (GRU).
"Once executed it deletes shadow copies, recursively overwrites files located in %CSIDL_SYSTEM%\drivers, %CSIDL_SYSTEM_DRIVE%\Windows\NTDS and other non-system drives and then reboots computer," ESET disclosed in a series of tweets.
The overwrites are achieved by using randomly generated byte sequences to fill 4,096 byte-length blocks. The intrusion was discovered on January 25, 2023, the Slovak cybersecurity company added.
"Attackers deployed the SwiftSlicer wiper using Group Policy of Active Directory," Robert Lipovsky, senior malware researcher for ESET, told The Hacker News. "Once SwiftSlicer malware is executed, it corrupts users files and makes the computer unbootable."
Sandworm, also tracked under the monikers BlackEnergy, Electrum, Iridium, Iron Viking, TeleBots, and Voodoo Bear, has a history of staging disruptive and destructive cyber campaigns targeting organizations worldwide since at least 2007.
The sophistication of the threat actor is evidenced by its multiple distinct kill chains, which comprise a wide variety of custom tools such as BlackEnergy, GreyEnergy, Industroyer, NotPetya, Olympic Destroyer, Exaramel, and Cyclops Blink
In 2022 alone, coinciding with Russia's military invasion of Ukraine, Sandworm has unleashed WhisperGate, HermeticWiper, IsaacWiper, CaddyWiper, Industroyer2, Prestige, and RansomBoggs against critical infrastructure in Ukraine.
"When you think about it, the growth in wiper malware during a conflict is hardly a surprise," Fortinet FortiGuard Labs researcher Geri Revay said in a report published this week, describing 2022 as the year of the wiper. "It can scarcely be monetized. The only viable use case is destruction, sabotage, and cyberwar."
The discovery of SwiftSlicer points to the consistent use of wiper malware variants by the Russian adversarial collective in attacks designed to wreak havoc in Ukraine. It's further illustrative of the growing adoption of Golang by threat actors, given its native multi-platform support and relative ease of development.
The development also comes as the Computer Emergency Response Team of Ukraine (CERT-UA) linked Sandworm to a recent largely unsuccessful cyber attack on the national news agency Ukrinform.
Unlock the secrets to bulletproof incident response – Master the 6-Phase process with Asaf Perlman, Cynet's IR Leader!Don't Miss Out – Save Your Seat!
The intrusion, which is suspected of having been carried out no later than December 7, 2022, entailed the use of five different pieces of data wiping programs, namely CaddyWiper, ZeroWipe, SDelete, AwfulShred, and BidSwipe targeting Windows, Linux, and FreeBSD systems.
"It was established that the final stage of the cyber attack was initiated on January 17, 2023," CERT-UA said in an advisory. "However, it had only partial success, in particular, in relation to several data storage systems."
Sandworm is not the only group that has its eyes on Ukraine. Other Russian state-sponsored actors such as APT29, COLDRIVER, and Gamaredon have actively targeted a range of Ukrainian organizations since the onset of the war.