Sandworm’s expanded wiper arsenal targets energy sector

Russian state-sponsored hacker collective Sandworm added new wiper malware to its arsenal. The target is, unsurprisingly, Ukraine.

Russia-aligned advanced persistent threat (APT) groups relentlessly focused on targets in Ukraine, researchers from cybersecurity firm ESET concluded in their latest report.

Researchers noted that Sandworm, an APT group linked with Russia’s Main Directorate of the General Staff of the Armed Forces (GRU), developed a previously unknown wiper ESET dubbed NikoWiper.

The malware was observed last October when it was deployed against an energy sector company in Ukraine. Researchers note that NikoWiper is based on a Microsoft utility used for securely deleting files, SDelete.

Russian APTs are no strangers to wiper attacks against targets in Ukraine. The Computer Emergency Response Team of Ukraine (CERT-UA) linked the January 17 wiper attack on Ukraine’s national news agency Ukrinform with GRU.

According to CERT-UA, threat actors aimed to disrupt the Ukrainian news agency using the CaddyWiper malware against the organization.

Interestingly, ESET notes that the cyberattack on a Ukrainian energy sector company coincided with the kinetic attacks Russian armed forces carried out against Ukrainian energy infrastructure.

“Even if we were unable to demonstrate any coordination between those events, it suggests that both Sandworm and the Russian armed forces have the same objectives,” reads the report.

Last June, Ukraine’s cyber watchdog, the State Service of Special Communications and Information Protection (SSSCIP), came to the same conclusion. Ukrainian energy company DTEK experienced a cyberattack while the Russian military was shelling a thermal power plant owned by the same company.

According to ESET, Sandworm’s innovations don’t stop here. The Russia-aligned APT was observed deploying ransomware against logistics companies in Ukraine and Poland.

Russian hackers even developed a new strain of ransomware ESET named RansomBoggs, because the malware has multiple references to a 2001 American computer-animated film Monsters, Inc.

The report noted that other Russian APTs, Callisto, Gamaredon, and the Dukes, were also active in launching campaigns against targets in Ukraine. All three groups were involved in sophisticated spear-phishing campaigns targeting Ukraine.

Since the war broke out, Ukraine has been constantly hit with cyberattacks from Russia. As such, Ukrainian state-owned telecommunications company Ukrtelecom experienced a cyberattack in June, attempting to disrupt Ukraine’s military communications. Similarly, Ukrainian government websites have been hit by distributed denial-of-service (DDoS) attacks.