Russian Sandworm APT expands its arsenal with yet another wiper

Russian Sandworm APT expands its arsenal with yet another wiper

Sandworm, a state-backed hacker group linked with Russia’s Main Directorate of the General Staff of the Armed Forces (GRU), has used a previously unknown wiper called “NikoWiper” in an attack targeting energy sector in Ukraine.

According to ESET researchers, the new wiper malware was deployed against an unnamed Ukrainian energy company last October. NikoWiper is based on SDelete, a command line utility from Microsoft that is used for securely deleting files.

ESET notes that the October attack took place at the same time when Russian armed forces began launching missile strikes targeting Ukraine’s energy infrastructure, suggesting that Sandworm and the Russian military have related objectives. In July 2022, Ukrainian energy company DTEK Energy was hit with a cyberattack, while Russian military was shelling the Kryvorizka thermal power plant owned by the company.

In January 2023, Victor Zhora, chief digital transformation officer at the State Service of Special Communication and Information Protection (SSSCIP) of Ukraine said that Russia has launched cyberattacks in coordination with kinetic military attacks as part of its invasion of the country, which could equate to war crimes because they directly affect the civilians.

According to the SSSCIP, since February 24, 2022 Russia has launched more than 1,500 cyberattacks against Ukraine. Between September and December 2022, the Ukrainian defenders observed multiple malicious operations coming from numerous Russian and pro-Russian hacker groups such as Gamaredon, Sandworm, APT28, APT29, Ghostwriter, Xaknet, Killnet, and others.

Last week, ESET detailed yet another Sandworm's wiper called “SwiftSlicer,” designed to overwrite crucial files used by the Windows operating system. 


Back to the list

Latest Posts

Cyber Security Week in Review: May 9, 2025

Cyber Security Week in Review: May 9, 2025

In brief: SAP zero-day exploited by Chinese hackers, SonicWall patches bugs in its SMA appliances, and more.
9 May 2025
Russia-linked Coldriver hackers deploy new espionage malware in targeted attacks

Russia-linked Coldriver hackers deploy new espionage malware in targeted attacks

LOSTKEYS is designed to steal sensitive files, harvest system information, and exfiltrate details about running processes.
8 May 2025
Russia-aligned operation manipulates audio and images to impersonate experts

Russia-aligned operation manipulates audio and images to impersonate experts

The operation primarily focused on undermining NATO support for Ukraine and spreading false narratives to disrupt domestic politics in EU member states.
7 May 2025