1 February 2023

Russian Sandworm APT expands its arsenal with yet another wiper


Russian Sandworm APT expands its arsenal with yet another wiper

Sandworm, a state-backed hacker group linked with Russia’s Main Directorate of the General Staff of the Armed Forces (GRU), has used a previously unknown wiper called “NikoWiper” in an attack targeting energy sector in Ukraine.

According to ESET researchers, the new wiper malware was deployed against an unnamed Ukrainian energy company last October. NikoWiper is based on SDelete, a command line utility from Microsoft that is used for securely deleting files.

ESET notes that the October attack took place at the same time when Russian armed forces began launching missile strikes targeting Ukraine’s energy infrastructure, suggesting that Sandworm and the Russian military have related objectives. In July 2022, Ukrainian energy company DTEK Energy was hit with a cyberattack, while Russian military was shelling the Kryvorizka thermal power plant owned by the company.

In January 2023, Victor Zhora, chief digital transformation officer at the State Service of Special Communication and Information Protection (SSSCIP) of Ukraine said that Russia has launched cyberattacks in coordination with kinetic military attacks as part of its invasion of the country, which could equate to war crimes because they directly affect the civilians.

According to the SSSCIP, since February 24, 2022 Russia has launched more than 1,500 cyberattacks against Ukraine. Between September and December 2022, the Ukrainian defenders observed multiple malicious operations coming from numerous Russian and pro-Russian hacker groups such as Gamaredon, Sandworm, APT28, APT29, Ghostwriter, Xaknet, Killnet, and others.

Last week, ESET detailed yet another Sandworm's wiper called “SwiftSlicer,” designed to overwrite crucial files used by the Windows operating system. 


Back to the list

Latest Posts

Threat actors abusing Foxit PDF Reader flaw to deploy multiple malware variants

Threat actors abusing Foxit PDF Reader flaw to deploy multiple malware variants

The flaw involves Foxit PDF Reader's handling of pop-up messages.
20 May 2024
China-linked APT group uses malware to spy on commercial shipping

China-linked APT group uses malware to spy on commercial shipping

Mustang Panda infiltrated the computer systems of cargo shipping companies in Norway, Greece, and the Netherlands.
20 May 2024
The Grandoreiro malware is back up and running after January disruption

The Grandoreiro malware is back up and running after January disruption

Grandoreiro now targets over 1,500 banks worldwide, spanning more than 60 countries across Central and South America, Africa, Europe, and the Indo-Pacific region.
20 May 2024