The initial hits targeted Ukrainian targets, and additional attacks cannot be ruled out
A new cyberattack that appears to be targeted at Ukraine and is designed to overwrite crucial Windows files has been spotted by security firm ESET.
“On January 25th #ESETResearch discovered a new cyberattack in Ukraine. Attackers deployed a new wiper we named #SwiftSlicer using Active Directory Group Policy. The #SwiftSlicer wiper is written in Go programing language. We attribute this attack to #Sandworm,” a Tweet by the firm read.
Also known as Unit 74455, Sandworm is allegedly a group of Russian cybermilitary hackers working for the General Staff Main Intelligence Directorate (GRU). The group is also credited with a number of other attacks in Ukraine, including a 2015 attack on the power grid, though these claims are currently unsubstantiated.
Sandworm SwiftSlicer cyberattack
“Once executed it deletes shadow copies, recursively overwrites files located in %CSIDL_SYSTEM%\drivers, %CSIDL_SYSTEM_DRIVE%\Windows\NTDS and other non-system drives and then reboots computer,” ESET added in a further tweet.
Go, the programming language that underpins the attack, is said to be valued by threat actors for its versatility (via Bleeping Compute), and is used by a number of genuine companies for legitimate reasons, including Google, Twitter, and PayPal.
According to Ukraine’s Computer Emergency Response Team, Sandworm has been busy launching a number of other attacks in the country, including five data-wiping attacks on the National News Agency of Ukraine – Ukrinform.
One strain found in the new agency attack, CaddyWiper, has been observed in a number of attacks on Ukraine, indicating a link back to Sandstorm.
If Sandstorm is indeed an arm of the Russian military, then it’s clear that the multifaceted war is continuing to wreak havoc on the lives of so many Ukrainian companies and citizens.