Latest Cyber Attacks in Ukraine Feature Golang-Based

Latest Cyber Attacks in Ukraine Feature Golang-Based "Swiftslice" Wiper Malware

Ukraine has experienced a new wave of cyber aggression from Russia, involving the use of a never-before-seen data eraser referred to as SwiftSlicer. ESET security researchers identified the  as Sandworm, a nation-state actor belonging to Military Unit 74455 of the Main Intelligence Directorate of the Russian Federation (GRU). 

According to ESET's report, the malicious software eliminates any trace of Shadow Copies and recursively erases files located in %CSIDL_SYSTEM%\drivers, %CSIDL_SYSTEM_DRIVE%\Windows\NTDS, as well as other non-system drives.

 In addition, the attack was found to be unique in its ability to generate random byte sequences to overwrite blocks of 4,096 bytes in size. The security firm noted that this malware first made its presence known on January 25, 2023.

Having operated since 2007, Sandworm is renowned for the use of various malicious tools, including BlackEnergy, GreyEnergy, Industroyer, NotPetya, Olympic Destroyer, Exaramel, and Cyclops Blink

In particular, the malware was aggressively deployed against Ukrainian infrastructures in 2022, with malicious code like WhisperGate, HermeticWiper, IsaacWiper, CaddyWiper, Industroyer2, Prestige, and RansomBoggs being observed in multiple networks. 

This illustrates the cyber criminal's aim to inflict as much disruption and destruction as possible.

Fortinet FortiGuard Labs' Geri Revay commented that the significant increase in the use of wiper malware during the Russian-Ukrainian conflict should not be surprising.

In addition, it is not uncommon for nation-state actors to exploit Golang's ability to facilitate the development of malware that can operate across multiple platforms. This has been witnessed in the recent cyber attack against Ukrinform, Ukraine's largest news agency.

On December 7, 2022, the attack reportedly utilized five data-erasing programs - CaddyWiper, ZeroWipe, SDelete, AwfulShred, and BidSwipe - in an attempt to target Windows, Linux, and FreeBSD systems. 

Fortunately, CERT-UA was able to identify the infiltration before any substantial damage could be done, and the group reported on January 17, 2023 that the breach had only resulted in a partial success.

Though Sandworm remains one of the major threats to Ukrainian organizations, they have also been victims of other Russia-backed APT29, COLDRIVER, and Gamaredon operations in the years since the war's beginning. With this in mind, it is crucial for these organizations to stay informed and proactive when it comes to digital security