Ukraine has been the target of a recent cyber attack from Russia, utilizing a previously unseen data wiper called SwiftSlicer. The attack was attributed to Sandworm, a state-sponsored group linked to Military Unit 74455 of the GRU, the Main Intelligence Directorate of the General Staff of the Armed Forces of the Russian Federation. ESET disclosed that the wiper, once executed, deletes shadow copies, recursively overwrites files, and reboots the computer using randomly generated byte sequences. The intrusion was discovered on January 25, 2023.
Sandworm, also known as BlackEnergy, Electrum, Iridium, Iron Viking, TeleBots, and Voodoo Bear, has a history of launching disruptive and destructive cyber campaigns globally since 2007. The group’s sophistication is demonstrated by its multiple kill chains and a range of custom tools such as BlackEnergy, GreyEnergy, Industroyer, NotPetya, Olympic Destroyer, Exaramel, and Cyclops Blink.
In 2022, during Russia’s military invasion of Ukraine, Sandworm deployed several wiper malware variants, including WhisperGate, HermeticWiper, IsaacWiper, CaddyWiper, Industroyer2, Prestige, and RansomBoggs, against critical infrastructure in Ukraine.
The discovery of SwiftSlicer highlights the consistent use of wiper malware variants by the Russian adversary in attacks aimed at causing chaos in Ukraine. This follows a recent cyber attack on the national news agency Ukrinform, which was linked to Sandworm by the Computer Emergency Response Team of Ukraine (CERT-UA). The attack, suspected to have taken place no later than December 7, 2022, used five data-wiping programs, including CaddyWiper, ZeroWipe, SDelete, AwfulShred, and BidSwipe, targeting Windows, Linux, and FreeBSD systems. The final stage of the attack was initiated on January 17, 2023, but it was only partially successful, particularly in relation to several data storage systems.
Sandworm is not the only group targeting Ukraine, as other Russian state-sponsored actors such as APT29, COLD RIVER, and Gamaredon have also actively targeted a range of Ukrainian organizations since the start of the conflict.