Russia’s Sandworm hackers blamed in fresh Ukraine malware attack
One of the Russian military’s most prolific hacking units deployed yet another destructive malware attack against Ukrainian targets this week, researchers with cybersecurity firm ESET said Friday. The researchers attributed the attack to the hacking unit known widely as “Sandworm,” a group in the Russian Main Intelligence Directorate, or GRU, behind a series of destructive malware attacks and hack-and-leak campaigns over the years, according to the U.S. government and private researchers.
Though ESET did not identify the victim of this week’s attack, it “focused on a specific target” in the public sector, Jean-Ian Boutin, the company’s director of threat research, told CyberScoop in an email Friday. Boutin added that his team doesn’t yet have visibility on impact, and that this is “a new data wiping malware deployed by Sandworm. We didn’t see code re-usage.” The researchers dubbed the malware “SwiftSlicer,” and said it was written in the Go programming language.
Additionally, the Ukrainian Computer Emergency Response Team announced Jan. 18 that it was investigating what it described as a “failed” Sandworm wiper attack on the National News Agency of Ukraine (Ukrinform) that took place Jan. 17, according to a Google translation. Attackers deployed the “CaddyWiper” malware in that attack, the notice read, which was discovered March 15. CaddyWiper is one of roughly 10 unique wipers deployed against Ukrainian targets during the war, SentinelLabs Tom Hegel, senior threat researcher with SentinelLabs, told CyberScoop.
Victor Zhora, the deputy chief of Ukraine’s State Service of Special Communication and Information Protection, could not immediately be reached for comment Friday. In May, ESET researchers detected a Sandworm wiper attack against Ukrainian energy facilities that used the Industroyer malware, which was deployed against the country’s energy facilities in the infamous 2015 attack that knocked power out.
“The use of Golang for the wiper is an interesting choice — perhaps indicating further experimentation and efficiency in the attack process,” Hegel said. “The use of Go is quickly on the rise, as we see many APTs increasingly use it.”
Go has “many benefits for malware developers,” he said, including ease of cross-complication, which is “likely a particular interest to Sandworm.” The unit will likely continue developing new attacks as the war drags on, Hegel added. “I estimate we’ll see increasingly desperate and faster paced campaigns occur as western support for Ukraine expands.”