In a significant development in cybersecurity, the Russian-affiliated group known as Sandworm has deployed a new variant of wiper malware called NikoWiper in an attack against a Ukrainian energy sector company in October 2022. This incident underscores the ongoing cyber threats linked to geopolitical tensions in the region.
ESET, a prominent cybersecurity firm, disclosed that NikoWiper utilizes SDelete, a command-line tool from Microsoft designed for secure file deletion. This application was leveraged to inflict irreversible damage to targeted organizations, particularly highlighting its use as a wiper in multiple instances against Ukraine.
The timing of these attacks coincided with coordinated missile strikes by Russian forces on Ukrainian energy infrastructure, indicating a strategic alignment in their objectives. This link raises concerns regarding the operational tactics utilized, correlating with the escalation of cyber warfare tactics aimed at crippling critical assets.
This revelation follows ESET’s attribution of a related Golang-based data wiper, named SwiftSlicer, used against another Ukrainian entity earlier this year. Sandworm’s operations, tied to Russia’s GRU military intelligence agency, further illustrate a trend of sophisticated cyber attacks targeting key national infrastructures.
The Computer Emergency Response Team of Ukraine (CERT-UA) has flagged five different wiper variants tied to Sandworm, including well-known tools such as CaddyWiper and AwfulShred. The diversity in these tools reveals a calculated strategy to disrupt systems across various platforms, with some targeting Windows and others aimed at Linux and FreeBSD systems.
As Robert Lipovsky, a senior malware researcher at ESET, pointed out, NikoWiper represents an evolution in Sandworm’s malware arsenal. Recent campaigns have also integrated custom ransomware, such as Prestige and RansomBoggs, designed to lock victims out of their data without hope of recovery, further complicating the cybersecurity landscape in the region.
Experts highlight that the rise in destructive malware signifies a shift in cyber aggression, with wiper malware increasingly becoming a weapon of choice among Russian threat actors. This is corroborated by BlackBerry’s Dmitry Bestuzhev, who stated that Sandworm has been focusing its efforts on wipers as targeted weapons against Ukraine.
Furthermore, various Russian state-sponsored groups, including APT29 and Gamaredon, are reported to be conducting parallel operations aimed at undermining Ukrainian infrastructure via sophisticated spear-phishing campaigns designed for credential theft and backdoor access. The interconnectivity of these attacks emphasizes a broader strategy affecting not only Ukraine but also nations associated with the ongoing crisis.
As the geopolitical conflict continues into its second year, cybersecurity professionals must remain vigilant about the evolving methods employed by these threat actors. The ongoing pattern of attacks over the past year suggests a persistent risk of further incidents, particularly as the conflict intensifies. According to Lipovsky, the steady stream of cyber attacks is expected to continue, reinforcing the critical need for robust cybersecurity measures across affected industries.
