Russian Sandworm APT Adds New Wiper to Its ArsenalMilitary Intelligence-Linked Group Attacked Ukrainian Energy Sector Firm, Says Eset
Security researchers using telemetry from Ukraine spotted a previously unknown wiper deployed against an energy sector company in an attack they attribute to Russia's Sandworm state-sponsored hacking group.
Analysis from Slovak cybersecurity firm Eset says Sandworm attempted to use the wiper in October 2022. Christened "NikoWiper" by Eset, the wiper is based on SDelete, a command-line utility from Microsoft used for securely deleting files, researchers say.
The October attack occurred around the same time that Russia targeted Ukrainian energy infrastructure with missile strikes. "Even if we were unable to demonstrate any coordination between those events, it suggests that both Sandworm and the Russian armed forces have the same objectives," Eset says.
Data wipers have played a key role in Russia's hacking campaign against Ukraine, especially in the months leading up to and around the time of the Kremlin's February 2022 invasion. They've been a fact of life for Ukrainian defenders for a decade now given Russian state-sponsored campaigns meant to undermine Kyiv. The Russian military intelligence-linked Sandworm group used them successfully during attacks on Ukrainian energy transmission facilities in 2015 and 2016.
Yurii Shchyhol, head of the State Service of Special Communications and Information Protection of Ukraine, recently told reporters that Russian hacking is focused on the destruction of Ukraine's information infrastructure (see: Ukraine: Russians Aim to Destroy Information Infrastructure).
Eset also fingered Sandworm just days ago as being responsible for another new strain of wiper malware researchers dubbed "SwiftSlicer."
Like other Sandworm wipers including NikoWiper, Sandworm exploits Active Directory group policy for deployment.
Eset also detected Sandworm ransomware attacks in Poland and Ukraine as part of a campaign also spotlighted by Microsoft, which tracks Sandworm as "Iridium" (see: Microsoft Warns of Growing Russian Digital Threats to Europe).