The Sandworm cyber criminal gang have resurfaced in recent months with a new malware strain named SwiftSlicer which aims to destroy crucial Windows operating system files.
Who are Sandworm?
Sandworm have been behind a large number of high-profile cyber attacks ever since they first came on the scene back in 2004.
Also known as Telebots, Voodoo Bear, and Iron Viking, Sandworm is allegedly a Russian cybermilitary unit of the GRU, the organization in charge of Russian military intelligence. Within the GRU, it is believed that Sandworm is actually Unit 74455
The hacking group is believed to be behind the December 2015 Ukraine power grid cyber-attack, the 2017 cyber-attacks on Ukraine using the NotPetya malware (see my previous blog on NotPetya) various interference efforts in the 2017 French presidential election, and the cyber-attack on the 2018 Winter Olympics opening ceremony.
What is SwiftSlicer?
Due to the fairly recent emergence of this new malwre , details regarding SwiftSlicer are scant at the moment, but security researchers at cybersecurity company ESET say that they found the destructive malware deployed during a recent cyberattack in Ukraine.
The name of the Ukrainian target has not been published, but recent Sandworm activity includes a data-wiping attack on Ukrinform, Ukraine’s national news agency.
In a report issued by the Ukrainian Computer Emergency Response Team (CERT-UA) it says that Sandworm also tried to use different five data-destruction utilities on the Ukrinform news agency’s network:
- CaddyWiper (Windows)
- ZeroWipe (Windows)
- SDelete (legitimate tool for Windows)
- AwfulShred (Linux)
- BidSwipe (FreeBSD)
The agency’s investigation revealed that SandWorm distributed the malware to computers on the network using a Group Policy Object (GPO) – a set of rules administrators use to configure operating systems, apps, and user settings in an Active Directory environment, the same method also used to execute SwiftSlicer.
SwiftSlicer uses the Windows Active Directory Group Policy, and was deployed to delete shadow copies and to overwrite critical files in the Windows system directory, specifically drivers and the Active Directory database.
The specific targeting of the %CSIDL_SYSTEM_DRIVE%\Windows\NTDS folder indicates that the wiper is not only meant to destroy files but to also bring down entire Windows domains.
Go Johnny Go…
ESET researchers say that SwiftSlicer overwrites data using 4096 bytes blocks that are filled with randomly generated bytes and then reboots the target machine so that the changes are permanent.
Sandworm developed SwiftSlicer in the Go (A.K.A. Golang) programming language developed by Google in 2009.
Go has been adopted by multiple threat actors for its versatility, and it can be compiled for all platforms and hardware making it very useful for developing malware for any target platform.
A battlefield with no boundries
The Russian invasion of Ukraine is a true 21st Century conflict being fought on Ukrainian soil, in the skies above Ukrainian soil, and in Ukrainian Cyber Space, and like NotPetya before, it has the potential to spill to other parts of the globe.