Researchers have discovered a new data-wiping attack on a Ukrainian target performed by Russian threat actors. The attack used a new malware called SwiftSlicer, which is attributed to the Sandworm malicious group known to work for the Russian General Staff Main Intelligence Directorate. On January 25th, the malware was submitted to the Virus Total scanning platform's database. The attack was spread using a Group Policy Object, which allowed the threat actors to take over the victims Active Directory environment. SwiftSlicer was used to delete shadow copies and overwrite critical files in the Windows system directory, such as drivers and the Active Directory database. The malware also targeted the %CSIDL SYSTEM DRIVE%WindowsNTDS folder, aiming to knock down the entire Windows domains. It overwrites data using 4096 bytes blocks filled with randomly generated bytes, and then reboots the systems. Sandworm was recently in the spotlight for a data-wiping attack on Ukraines national news agency, Ukrinform. If you want to stay up to date with the latest cybersecurity news and topics, follow us on LinkedIn, Twitter, Facebook, Youtube, and Instagram. Sign up for our newsletter to get cybersecurity updates you'll actually want to read directly in your inbox.
This Cyber News was published on heimdalsecurity.com. Publication date: Mon, 30 Jan 2023 12:13:02 +0000