Sandworm APT Group Adds New Wiper to Its Hacking Toolkit

During the monitored timespan, APT groups aligned with Russia have been observed to be heavily involved in cyber operations aimed at Ukraine. 

These operations have included deploying malicious software, such as wipers (which can erase data on a targeted system) and ransomware (which can encrypt a system’s data and demand payment for the decryption key). 

The Sandworm group is a well-known APT (Advanced Persistent Threat) group that is believed to be operating out of Russia. The group is notorious for its involvement in several high-profile cyber attacks.

Recently, ESET discovered that the notorious Sandworm group was utilizing a previously unseen wiper in an attack on a Ukrainian energy sector company.

Addition of a new wiper

In October, Sandworm used a new wiper in an attack on a Ukrainian energy company, coinciding with Russian missile strikes on energy infrastructure. Analysts can’t prove coordination but suggest common goals.

ESET researchers uncovered a MirrorFace spearphishing attack aimed at political entities in Japan. They also observed a shift in targeting for some China-aligned groups, with Goblin Panda copying Mustang Panda’s focus on Europe.

ESET researchers have discovered a new wiper malware named “NikoWiper” that has been added to the group’s arsenal. The wiper is based on a command-line utility from Microsoft called SDelete, which is used for securely deleting files.

Apart from that ESET also discovered that Sandworm was behind another strain of wiper malware referred to as SwiftSlicer. In October 2022, against a Ukrainian company in the energy sector, this notorious wiper has been used by the threat actors.

Cybersecurity experts discovered that in addition to traditional data-wiping malware, the Sandworm group was utilizing ransomware to carry out devastating wiper attacks.

Unlike typical ransomware attacks where the attackers demand a ransom in exchange for the decryption key, these attacks aim to completely destroy the data without any possibility of recovery.

In November of 2022, a new type of ransomware was detected in Ukraine by experts in the field. The ransomware was written in .NET programming language, and it was given the name “RansomBoggs.”

Security experts noticed that the deployment of this file coder was carried out by the malware operators using POWERGAP scripts. Almost always, Sandworm employed Active Directory Group Policy to distribute its wiper and ransomware payloads.

While with the goal of acquiring webmail credentials, Callisto (aka COLDRIVER or SEABORGIUM) has been actively acquiring a substantial amount of domains for spearphishing purposes.

Apart from this for Ukrainian institutions Gamaredon still remains a significant risk. ESET brought to light the presence of Sandworm ransomware attacks in Poland and Ukraine, which were also highlighted by Microsoft as part of a targeted campaign.

Network Security Checklist – Download Free E-Book