Ukraine has recently been targeted by a new cyber attack from Russia, which involved the use of an unknown data wiper called SwiftSlicer, which is written in Golang. The attack is believed to have been managed by Sandworm, a state-sponsored hacker group that shows ties to Military Unit 74455 of the GRU (Main Intelligence Directorate of the General Staff of the Armed Forces of the Russian Federation). Details about the threatening campaign and the SwiftSlicer threat were released by cybersecurity researchers.
The Threatening Capabilities of SwiftSlicer
The harmful intrusion deploying SwiftSlicer was detected on January 25, 2023. To carry out their goals, the cybercriminals exploited the Active Directory Group Policy. Once SwiftSlicer is executed, its corrupted code will delete all Shadow Volume Copies of files and recursively overwrite files located in %CSIDL_SYSTEM%\drivers, %CSIDL_SYSTEM_DRIVE%\Windows\NTDS and other non-system drives found on the breached devices. The targeted files are destroyed by being overwritten with randomly generated byte sequences of 4,096 bytes in length. After this process was completed, the infected devices would then reboot.
The Sandwork Hackers Continue to Target Ukraine Organizations
The Russian adversarial collective, Sandworm, has been linked to the use of wiper malware variants in attacks designed to cause disruption and destruction in Ukraine. This group, also known as BlackEnergy, Electrum, Iridium, Iron Viking, TeleBots, and Voodoo Bear, has been active since 2007 and is responsible for a range of sophisticated cyber campaigns targeting organizations around the world. Examples of their custom tools include BlackEnergy, GreyEnergy, Industroyer, NotPetya, Olympic Destroyer, Exaramel and Cyclops Blink.
In 2022 alone, they have launched WhisperGate, HermeticWiper, IsaacWiper, CaddyWiper, Industroyer2, Prestige and RansomBoggs against critical infrastructure in Ukraine. This coincides with Russia's military invasion of the country. The Computer Emergency Response Team of Ukraine (CERT-UA) recently linked Sandworm to an attempted cyber-attack on Ukrinform - the national news agency - which took place no later than December 7, 2022. Five different data-wiping malware tools were used in this attack: CaddyWiper; ZeroWipe; SDelete; AwfulShred and BidSwipe - targeting FreeBSD, Windows and Linux devices.