The Russia-affiliated Sandworm used yet another wiper malware strain dubbed NikoWiper as part of an attack that took place in October 2022 targeting an energy sector company in Ukraine. The NikoWiper is based on SDelete, a command line utility from Microsoft that is used for securely deleting files, cybersecurity company ESET revealed in its latest APT Activity Report shared with The Hacker News. The Slovak cybersecurity firm said the attacks coincided with missile strikes orchestrated by the Russian armed forces aimed at the Ukrainian energy infrastructure, suggesting overlaps in objectives. The disclosure comes merely days after ESET attributed Sandworm to a Golang-based data wiper dubbed SwiftSlicer that was deployed against an unnamed Ukrainian entity on January 25, 2023. The advanced persistent threat group linked to Russias foreign military intelligence agency GRU has also been implicated in a partially successful attack targeting national news agency Ukrinform, deploying as many as five different wipers on compromised machines. The Computer Emergency Response Team of Ukraine identified the five wiper variants as CaddyWiper, ZeroWipe, SDelete, AwfulShred, and BidSwipe. The first three of these targeted Windows systems, while AwfulShred and BidSwipe took aim at Linux and FreeBSD systems. The use of SDelete is notable, as it suggests that Sandworm has been experimenting with the utility as a wiper in at least two different instances to cause irrevocable damage to the targeted organizations in Ukraine. That said, ESET malware researcher Robert Lipovsky told The Hacker News that NikoWiper is a different malware. Sandworms recent campaigns have also leveraged bespoke ransomware families, including Prestige and RansomBoggs, to lock victim data behind encryption barriers without any option to recover them. The efforts are the latest indication that the use of destructive wiper malware is on the rise and is being increasingly adopted as a cyber weapon of choice among Russian hacking crews. Wipers have not been used widely as theyre targeted weapons, BlackBerrys Dmitry Bestuzhev told The Hacker News in a statement. Sandworm has been actively working on developing wipers and ransomware families used explicitly for Ukraine. Its not just Sandworm, as other Russian state-sponsored outfits such as APT29, Callisto, and Gamaredon have engaged in parallel efforts to cripple Ukrainian infrastructure via spear-phishing campaigns designed to facilitate backdoor access and credential theft. According to Recorded Future, which tracks APT29 under the moniker BlueBravo, the APT has been connected to new compromised infrastructure thats likely employed as a lure to deliver a malware loader codenamed GraphicalNeutrino. The loader, whose main function is to deliver follow-on malware, abuses Notions API for command-and-control communications as well as the platforms database feature to store victim information and stage payloads for download. Any country with a nexus to the Ukraine crisis, particularly those with key geopolitical, economic, or military relationships with Russia or Ukraine, are at increased risk of targeting, the company said in a technical report published last week. The shift to Notion, a legitimate note-taking application, underscores APT29s Broadening but continued use of popular software services like Dropbox, Google Drive, and Trello to blend malware traffic and circumvent detection. Although no second-stage malware was detected, ESET - which also found a sample of the malware in October 2022 - theorized it was Aimed at fetching and executing Cobalt Strike. The findings also come close on the heels of Russia stating that it was the target of Coordinated aggression in 2022 and that it faced Unprecedented external cyber attacks from Intelligence agencies, transnational IT corporations, and hacktivists. As the Russo-Ukrainian war officially enters its twelfth month, it remains to be seen how the conflict evolves forward in the cyber realm. Over the past year we have seen waves of increased activity - such as in the spring after the invasion, in the fall and quieter months over the summer - but overall theres been a nearly constant stream of attacks, Lipovsky said
This Cyber News was published on thehackernews.com. Publication date: Tue, 31 Jan 2023 13:04:02 +0000