>
A new cyber-attack that appears to target Ukraine and is designed to overwrite crucial Windows files has been spotted by security company ESET.
“On January 25, #ESETResearch discovered a new cyber-attack in Ukraine. Attackers deployed a new wiper called #SwiftSlicer using Active Directory Group Policy. The #SwiftSlicer eraser is written in Go programming language. We attribute this attack to #Sandworm,”a Tweet (opens in new tab) read by the company.
Sandworm, also known as Unit 74455, is reportedly a group of Russian cyber-military hackers who work for the General Staff Main Intelligence Directorate (GRU). The group is also credited with a number of other attacks in Ukraine, including an attack on the power grid in 2015, although these claims are currently unsubstantiated.
Sandworm SwiftSlicer cyber attack
“Once executed, it removes shadow copies, recursively overwrites files located in %CSIDL_SYSTEM%drivers, %CSIDL_SYSTEM_DRIVE%WindowsNTDS and other non-system drives and then reboots the computer,” ESET added in a subsequent tweet.
Go, the programming language underlying the attack, would be appreciated by threat actors for its versatility (via Beeping computer (opens in new tab)), and is used for legitimate reasons by a number of real companies, including Google, Twitter, and PayPal.
According to Ukraine’s Computer Emergency Response Team, Sandworm has been busy launching a number of other attacks in the country, including five data-wiping attacks on Ukraine’s national news agency – Ukrinform.
A strain found in the agency’s new attack, CaddyWiper, has been observed in a number of attacks on Ukraine, indicating a link back to Sandstorm.
If Sandstorm is indeed a branch of the Russian military, then it is clear that the multifaceted war continues to wreak havoc on the lives of so many Ukrainian businesses and civilians.