Go to listing page

Ukraine Targeted via New Waves of Data Wipers, Including SwiftSlicer

Ukraine Targeted via New Waves of Data Wipers, Including SwiftSlicer
Experts have discovered a data-wiping malware that overwrites important files used by Windows, thus, destroying Windows domains. Reportedly used by the Russian Sandworm threat group, the wiper was used in a recent attack aimed at targets in Ukraine.

SwiftSlicer: A new wiper

According to ESET, Sandworm launched SwiftSlicer using the Active Directory Group Policy that allows domain admins to run scripts and commands among all of the systems in the Windows network.
  • The aim behind SwiftSlicer deployment was to delete shadow copies and overwrite critical files in the Windows system directory, especially drivers and the Active Directory database.
  • The specific targeting of the %CSIDL_SYSTEM_DRIVE%\Windows\NTDS folder implies that the wiper is meant to destroy files, with the sheer aim of shutting down the entire Windows domain.
  • The wiper overwrites data with the use of 4096-byte blocks filled with randomly generated bytes. 
  • After finishing the data destruction job, the wiper reboots the infected systems.

The new wiper has been added to the VirusTotal database recently (submitted on January 26). However, it is spotted by more than half of the antivirus engines that exist on the malware scanning platform.

Use of data-destruction utilities

Along with the use of SwiftSlicer, the CERT-UA claimed that Sandworm tried to use five data-destruction utilities on the national news agency, Ukrinform.
  • These five data-destruction utilities are named CaddyWiper (Windows), ZeroWipe (Windows), SDelete (a legitimate tool for Windows), AwfulShred (Linux), and BidSwipe (FreeBSD).
  • Attackers spread the malware using a Group Policy Object (GPO), a set of rules admins use to configure OS, apps, and user settings in an Active Directory, the same method for SwiftSlicer.

Conclusion

In the past one year, researchers have observed over a dozen of wiper attacks in Ukraine, including attacks via MBR Wiper, IssacWiper, HermeticWiper and several others. The recent discovery of SwiftSlicer further points toward the regular use of wiper malware variants by Russian hackers. The objective behind using these destructive wipers in attacks is to wreak havoc in Ukraine. Thus, organizations are suggested to stay vigilant and implement an in-depth security strategy to keep their digital infrastructure protected.
Cyware Publisher

Publisher

Cyware