The
Russia-affiliated
Sandworm
used
yet
another
wiper
malware
strain
dubbed
NikoWiper
as
part
of
an
attack
that
took
place
in
October
2022
targeting
an
energy
sector
company
in
Ukraine.
“The
NikoWiper
is
based
on
SDelete,
a
command
line
utility
from
Microsoft
that
is
used
for
securely
deleting
files,”
cybersecurity
company
ESET
revealed
in
its
latest
APT
Activity
Report
shared
with
The
Hacker
News.
The
Slovak
cybersecurity
firm
said
the
attacks
coincided
with
missile
strikes
orchestrated
by
the
Russian
armed
forces
aimed
at
the
Ukrainian
energy
infrastructure,
suggesting
overlaps
in
objectives.
The
disclosure
comes
merely
days
after
ESET
attributed
Sandworm
to
a
Golang-based
data
wiper
dubbed
SwiftSlicer
that
was
deployed
against
an
unnamed
Ukrainian
entity
on
January
25,
2023.
The
advanced
persistent
threat
(APT)
group
linked
to
Russia’s
foreign
military
intelligence
agency
GRU
has
also
been
implicated
in
a
partially
successful
attack
targeting
national
news
agency
Ukrinform,
deploying
as
many
as
five
different
wipers
on
compromised
machines.
The
Computer
Emergency
Response
Team
of
Ukraine
(CERT-UA)
identified
the
five
wiper
variants
as
CaddyWiper,
ZeroWipe,
SDelete,
AwfulShred,
and
BidSwipe.
The
first
three
of
these
targeted
Windows
systems,
while
AwfulShred
and
BidSwipe
took
aim
at
Linux
and
FreeBSD
systems.
The
use
of
SDelete
is
notable,
as
it
suggests
that
Sandworm
has
been
experimenting
with
the
utility
as
a
wiper
in
at
least
two
different
instances
to
cause
irrevocable
damage
to
the
targeted
organizations
in
Ukraine.
That
said,
ESET
malware
researcher
Robert
Lipovsky
told
The
Hacker
News
that “NikoWiper
is
a
different
malware.”
Besides
weaponizing
SDelete,
Sandworm’s
recent
campaigns
have
also
leveraged
bespoke
ransomware
families,
including
Prestige
and
RansomBoggs,
to
lock
victim
data
behind
encryption
barriers
without
any
option
to
recover
them.
The
efforts
are
the
latest
indication
that
the
use
of
destructive
wiper
malware
is
on
the
rise
and
is
being
increasingly
adopted
as
a
cyber
weapon
of
choice
among
Russian
hacking
crews.
“Wipers
have
not
been
used
widely
as
they’re
targeted
weapons,”
BlackBerry’s
Dmitry
Bestuzhev
told
The
Hacker
News
in
a
statement. “Sandworm
has
been
actively
working
on
developing
wipers
and
ransomware
families
used
explicitly
for
Ukraine.”
It’s
not
just
Sandworm,
as
other
Russian
state-sponsored
outfits
such
as
APT29,
Callisto,
and
Gamaredon
have
engaged
in
parallel
efforts
to
cripple
Ukrainian
infrastructure
via
spear-phishing
campaigns
designed
to
facilitate
backdoor
access
and
credential
theft.
According
to
Recorded
Future,
which
tracks
APT29
(aka
Nobelium)
under
the
moniker
BlueBravo,
the
APT
has
been
connected
to
new
compromised
infrastructure
that’s
likely
employed
as
a
lure
to
deliver
a
malware
loader
codenamed
GraphicalNeutrino.
The
loader,
whose
main
function
is
to
deliver
follow-on
malware,
abuses
Notion’s
API
for
command-and-control
(C2)
communications
as
well
as
the
platform’s
database
feature
to
store
victim
information
and
stage
payloads
for
download.
“Any
country
with
a
nexus
to
the
Ukraine
crisis,
particularly
those
with
key
geopolitical,
economic,
or
military
relationships
with
Russia
or
Ukraine,
are
at
increased
risk
of
targeting,”
the
company
said
in
a
technical
report
published
last
week.
The
shift
to
Notion,
a
legitimate
note-taking
application,
underscores
APT29’s “broadening
but
continued
use”
of
popular
software
services
like
Dropbox,
Google
Drive,
and
Trello
to
blend
malware
traffic
and
circumvent
detection.
Although
no
second-stage
malware
was
detected,
ESET
–
which
also
found
a
sample
of
the
malware
in
October
2022
–
theorized
it
was “aimed
at
fetching
and
executing
Cobalt
Strike.”
The
findings
also
come
close
on
the
heels
of
Russia
stating
that
it
was
the
target
of “coordinated
aggression”
in
2022
and
that
it
faced “unprecedented
external
cyber
attacks”
from “intelligence
agencies,
transnational
IT
corporations,
and
hacktivists.”
As
the
Russo-Ukrainian
war
officially
enters
its
twelfth
month,
it
remains
to
be
seen
how
the
conflict
evolves
forward
in
the
cyber
realm.
“Over
the
past
year
we
have
seen
waves
of
increased
activity
–
such
as
in
the
spring
after
the
invasion,
in
the
fall
and
quieter
months
over
the
summer
–
but
overall
there’s
been
a
nearly
constant
stream
of
attacks,”
Lipovsky
said. “So
one
thing
that
we
can
be
sure
about
is
that
we
will
be
seeing
more
cyber
attacks.”
