ESET: Sandworm could be behind new file-deleting malware targeting Ukraine

The notorious state-backed Russian hacking group known as Sandworm may be behind new malware targeting Ukraine, according to research published Friday by cybersecurity company ESET.

Malware called SwiftSlicer hit one organization in Ukraine before it was discovered by the Slovakia-based firm this week.

The researchers cannot disclose the name of the affected organization and don't have data on the impact of the cyberattack, Jean-Ian Boutin, ESET's director of threat research, told The Record in an email on Friday.

SwiftSlicer malware “is relatively simple but effective,” according to Boutin. Once executed, it deletes backup copies of computer files, overwrites files located on specific drives and then reboots the computer. 

Once executed it deletes shadow copies, recursively overwrites files located in %CSIDL_SYSTEM%\drivers, %CSIDL_SYSTEM_DRIVE%\Windows\NTDS and other non-system drives and then reboots computer. For overwriting it uses 4096 bytes length block filled with randomly generated byte 2/3

— ESET Research (@ESETresearch) January 27, 2023

The new malware is written in the Go programming language. Hackers have previously used Go for malware such as DesertBlade and HermeticRansom, both of which targeted Ukrainian organizations last year, Boutin said.

The deployment of SwiftSlicer is similar to previous attacks attributed to Sandworm, according to Boutin. Sandworm is best known for the NotPetya cyberattack in 2017, which disrupted Ukrainian government organizations, banks, media and electricity suppliers.

Earlier in November, ESET discovered another strain of malware allegedly deployed by Sandworm — RansomBoggs, which was used primarily to disrupt systems by locking up their data. At the time, ESET said the malware affected at least five organizations in Ukraine.

Sandworm has also been linked to a cyberattack on a Ukrainian energy provider in April using a new variant of the Industroyer malware.

Ukraine’s Computer Emergency Response Team, CERT-UA, has linked Sandworm to a recent cyberattack on Ukraine’s national news agency Ukrinform.

Ukrinform attack

In a statement on Friday, CERT-UA said it had identified five samples of malware that Sandworm tried to use during the attack: CaddyWiper, ZeroWipe, SDelete, AwfulShred and BidSwipe.

Russian hackers boasted on Telegram that they destroyed the website's infrastructure, disabled two domains and shut down the system that allowed Ukrainian journalists to receive information from the news agency. 

CERT-UA said this cyberattack was only ""partially"" successful and that the Ukrinform website quickly resumed work. Hackers managed to gain access to only a few data storage systems, according to CERT-UA.

The CERT-UA researchers didn't provide more details about what systems were involved and which data was compromised. In Telegram, pro-Russian hackers published a screenshot from an allegedly leaked database with emails and usernames of Ukrinform employees.

Among the malware strains believed to have targeted the news agency, CaddyWiper and AwfulShred have been used in previous attacks against Ukraine.

In March, it affected “a few dozen systems in a limited number of organizations,” according to ESET. CaddyWiper erases user data and overwrites files on the computer, making them unrecoverable.

CaddyWiper is not officially attributed to Sandworm, but Ukraine has linked the malware to the group in its public statements.

Correction: A previous version of this article misstated how many of the five malware strains believed to have been used to target Ukrinform had been used previously against Ukraine. The strain AwfulShred is believed to have also been used in the Industroyer 2 attack in April 2022.

Daryna Antoniuk

Daryna Antoniuk Daryna Antoniuk is a freelance reporter for Recorded Future News based in Ukraine. She writes about cybersecurity startups, cyberattacks in Eastern Europe and the state of the cyberwar between Ukraine and Russia. She previously was a tech reporter for Forbes Ukraine. Her work has also been published at Sifted, The Kyiv Independent and The Kyiv Post.

No previous article
No new articles