Information security company ESET has detected a new cyber-attack that appears to be targeting Ukraine and is designed to overwrite important Windows operating system files.
ESET said in a tweet: “On January 25, #ESETResearch detected a new cyberattack in Ukraine in which the attackers deployed a new file-wiping tool, which we called #SwiftSlicer, using Active Directory Group Policy. The #SwiftSlicer scanning tool is made in the Go programming language. We attribute this attack to the #Sandworm.”
Active Directory Group Policy is an important piece of help in the Windows Active Directory environment that IT administrators can configure. The Active Directory group policy defines the behavior and privileges of users and computers.
Sandworm, also known as Unit 74455, is a group of Russian military hackers working for the Main Directorate of the General Staff of the Russian Armed Forces. A number of other attacks in Ukraine are also attributed to it, such as the 2015 attack on the electricity grid.
In another tweet, ESET said: “When executed, the tool deletes backups and recursively replaces files in the %CSIDL_SYSTEM%\drivers directory, the %CSIDL_SYSTEM_DRIVE%\Windows\NTDS directory, and other non-system drives, and then restarts the computer.
The programming language (Go), which forms the basis of the attack, is valuable to threat actors for its versatility, and a number of large companies use it for legitimate reasons, such as: Google, Twitter, and PayPal.
According to the Computer Emergency Response Team of Ukraine, Sandworm has launched a number of other attacks in the country, including: five data wiping attacks on Ukraine’s national news agency, Ukrinform
One string of the data-wiping tool, CaddyWiper, that was used in the attack on Ukraine News Agency, was found in a number of attacks on Ukraine, suggesting the involvement of the Sandstorm group.