Critical Infrastructure Security , Cyberwarfare / Nation-State Attacks , Fraud Management & Cybercrime

Russian Sandworm APT Adds New Wiper to Its Arsenal

Military Intelligence-Linked Group Attacked Ukrainian Energy Sector Firm, Says Eset
Russian Sandworm APT Adds New Wiper to Its Arsenal
The city of Kupiansk in the Kharkiv province of Ukraine after a Russian artillery attack on Jan. 25 (Image: Ministry of Culture and Information Policy of Ukraine)

Security researchers using telemetry from Ukraine spotted a previously unknown wiper deployed against an energy sector company in an attack they attribute to Russia's Sandworm state-sponsored hacking group.

See Also: XSIAM Infographic: Talking About a Revolution

Analysis from Slovak cybersecurity firm Eset says Sandworm attempted to use the wiper in October 2022. Christened "NikoWiper" by Eset, the wiper is based on SDelete, a command-line utility from Microsoft used for securely deleting files, researchers say.

The October attack occurred around the same time that Russia targeted Ukrainian energy infrastructure with missile strikes. "Even if we were unable to demonstrate any coordination between those events, it suggests that both Sandworm and the Russian armed forces have the same objectives," Eset says.

Data wipers have played a key role in Russia's hacking campaign against Ukraine, especially in the months leading up to and around the time of the Kremlin's February 2022 invasion. They've been a fact of life for Ukrainian defenders for a decade now given Russian state-sponsored campaigns meant to undermine Kyiv. The Russian military intelligence-linked Sandworm group used them successfully during attacks on Ukrainian energy transmission facilities in 2015 and 2016.

Yurii Shchyhol, head of the State Service of Special Communications and Information Protection of Ukraine, recently told reporters that Russian hacking is focused on the destruction of Ukraine's information infrastructure (see: Ukraine: Russians Aim to Destroy Information Infrastructure).

Eset also fingered Sandworm just days ago as being responsible for another new strain of wiper malware researchers dubbed "SwiftSlicer."

Like other Sandworm wipers including NikoWiper, Sandworm exploits Active Directory group policy for deployment.

Eset also detected Sandworm ransomware attacks in Poland and Ukraine as part of a campaign also spotlighted by Microsoft, which tracks Sandworm as "Iridium" (see: Microsoft Warns of Growing Russian Digital Threats to Europe).

About the Author

Mihir Bagwe

Mihir Bagwe

Principal Correspondent, Global News Desk, ISMG

Bagwe previously worked at CISO magazine, reporting the latest cybersecurity news and trends and interviewing cybersecurity subject matter experts.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.