cyber daily logo

Breaking news and updates daily. Subscribe to our Newsletter

Breaking news and updates daily. Subscribe to our Newsletter X facebook linkedin Instagram

Ukrainian organisations getting hit by destructive new SwiftSlicer malware

Researchers have observed a new form of malware afflicting organisations in Ukraine, as the country struggles toward 12 months since Russian forces invaded.

user icon David Hollingworth
Tue, 31 Jan 2023
Ukrainian organisations getting hit by destructive new SwiftSlicer malware
expand image

Experts at security company ESET spotted the malware — which they dubbed SwiftSlicer — in operation on 25 January, and it is believed to have been deployed by the Sandworm hacking group.

SwiftSlicer does pretty much that to any machines it infects. Deployed via Group Policy, researchers believe that for the attack to work, attackers must have some control of the Active Directory environment of affected machines. It is written in Google’s Go programming language, also known as GoLang.

According to ESET, “Once executed, it deletes shadow copies, recursively overwrites files located in %CSIDL_SYSTEM%\drivers, %CSIDL_SYSTEM_DRIVE%\Windows\NTDS and other non-system drives and then reboots”.

The overwriting is done with a randomly generated 4,096B-length block. While Sandworm has executed ransomware attacks in the past, in this instance, the aim of the attack is simply to destroy data.

This new wiper joins previously observed malware such as HermeticWiper and CaddyWiper. CaddyWiper was the culprit in a recent attack on Ukraine’s National News Agency.

Sandworm is believed to be a cyber-military unit of Russia’s Main Directorate of the General Staff of the Armed Forces of the Russian Federation, otherwise known as the GRU, after its old title of Main Intelligence Directorate. The group was formed in the 2000s and has been operating in Ukraine since well before the Russian invasion.

In particular, the group targeted Ukraine’s power grid in 2015, which saw experts from the University of California’s Berkeley School of Law call upon the International Criminal Court in The Hague to label the attack — and other Russian cyber aggressions — a war crime.

Six of Sandworm’s operators have been indicted for a range of crimes across the globe. On top of the Ukrainian power grid attack, the indictment lists a 2017 campaign targeting French elections, attacks against the 2018 South Korean Winter Olympics, the NotPetya ransomware campaign, interference against a range of Georgian targets, and even against investigators looking into the 2018 poisoning of former Russian officer Sergei Skripal in the United Kingdom.

The six operators remain at large.

Comments powered by CComment

cd intro podcast

Introducing Cyber Daily, the new name for Cyber Security Connect

Click here to learn all about it
cyber daily subscribe
Be the first to hear the latest developments in the cyber industry.