Share this article on:
Researchers have observed a new form of malware afflicting organisations in Ukraine, as the country struggles toward 12 months since Russian forces invaded.
Experts at security company ESET spotted the malware — which they dubbed SwiftSlicer — in operation on 25 January, and it is believed to have been deployed by the Sandworm hacking group.
SwiftSlicer does pretty much that to any machines it infects. Deployed via Group Policy, researchers believe that for the attack to work, attackers must have some control of the Active Directory environment of affected machines. It is written in Google’s Go programming language, also known as GoLang.
According to ESET, “Once executed, it deletes shadow copies, recursively overwrites files located in %CSIDL_SYSTEM%\drivers, %CSIDL_SYSTEM_DRIVE%\Windows\NTDS and other non-system drives and then reboots”.
The overwriting is done with a randomly generated 4,096B-length block. While Sandworm has executed ransomware attacks in the past, in this instance, the aim of the attack is simply to destroy data.
This new wiper joins previously observed malware such as HermeticWiper and CaddyWiper. CaddyWiper was the culprit in a recent attack on Ukraine’s National News Agency.
Sandworm is believed to be a cyber-military unit of Russia’s Main Directorate of the General Staff of the Armed Forces of the Russian Federation, otherwise known as the GRU, after its old title of Main Intelligence Directorate. The group was formed in the 2000s and has been operating in Ukraine since well before the Russian invasion.
In particular, the group targeted Ukraine’s power grid in 2015, which saw experts from the University of California’s Berkeley School of Law call upon the International Criminal Court in The Hague to label the attack — and other Russian cyber aggressions — a war crime.
Six of Sandworm’s operators have been indicted for a range of crimes across the globe. On top of the Ukrainian power grid attack, the indictment lists a 2017 campaign targeting French elections, attacks against the 2018 South Korean Winter Olympics, the NotPetya ransomware campaign, interference against a range of Georgian targets, and even against investigators looking into the 2018 poisoning of former Russian officer Sergei Skripal in the United Kingdom.
The six operators remain at large.
David Hollingworth has been writing about technology for over 20 years, and has worked for a range of print and online titles in his career. He is enjoying getting to grips with cyber security, especially when it lets him talk about Lego.