Sandworm, a state-backed hacker group linked with Russia’s Main Directorate of the General Staff of the Armed Forces (GRU), has used a previously unknown wiper called “NikoWiper” in an attack targeting energy sector in Ukraine.

According to ESET researchers, the new wiper malware was deployed against an unnamed Ukrainian energy company last October. NikoWiper is based on SDelete, a command line utility from Microsoft that is used for securely deleting files.

ESET notes that the October attack took place at the same time when Russian armed forces began launching missile strikes targeting Ukraine’s energy infrastructure, suggesting that Sandworm and the Russian military have related objectives. In July 2022, Ukrainian energy company DTEK Energy was hit with a cyberattack, while Russian military was shelling the Kryvorizka thermal power plant owned by the company.

In January 2023, Victor Zhora, chief digital transformation officer at the State Service of Special Communication and Information Protection (SSSCIP) of Ukraine said that Russia has launched cyberattacks in coordination with kinetic military attacks as part of its invasion of the country, which could equate to war crimes because they directly affect the civilians.

According to the SSSCIP, since February 24, 2022 Russia has launched more than 1,500 cyberattacks against Ukraine. Between September and December 2022, the Ukrainian defenders observed multiple malicious operations coming from numerous Russian and pro-Russian hacker groups such as Gamaredon, Sandworm, APT28, APT29, Ghostwriter, Xaknet, Killnet, and others.

Last week, ESET detailed yet another Sandworm's wiper called “SwiftSlicer,” designed to overwrite crucial files used by the Windows operating system.