ESET Research, a Slovak security research company, discovered a cyberattack launched in Ukraine on January 25, 2023, that deployed a new type of wiper malware. Written in the Go programming language, Russia is believed to be behind the attack and the malware, which ESET has dubbed “SwiftSlicer”.
The malware
First, it’s crucial to understand wiper malware. A wiper is a class of malware that aims to completely erase (wipe clean) data from a computer’s hard drive. Unlike other common types of cyber attacks that aim for monetary gains, such as ransomware, wiper malware is simply destruction for destruction’s sake. Because of the sudden increase in wiper deployment targeting Ukrainian critical infrastructure and organizations in particular, FortiGuard Labs has named 2022 the year of the wiper. Many speculate this increase is no coincidence, that it is a means of cyber warfare.
SwiftSlicer works by utilizing Active Directory Group Policy. In a series of Tweets, ESET wrote that when it’s executed, SwiftSlicer “deletes shadow copies, recursively overwrites files located in %CSIDL_SYSTEM%\drivers, %CSIDL_SYSTEM_DRIVE%\Windows\NTDS and other non-system drives and then reboots computer.” It then uses randomly generated byte sequences to fill 4,096 byte-length blocks to achieve the overwrites.
In a statement to The Hacker News, Robert Lipovsky, senior malware researcher for ESET, said: “Once SwiftSlicer malware is executed, it corrupts users files and makes the computer unbootable.”
ESET has attributed the attack to a cyberespionage group called Sandworm.
The culprits
Also known as Unit 74455, Sandworm is believed to be a Russian cyber military unit of the GRU, the organization in charge of Russian military intelligence. Active since around 2005, Sandworm has also carried out attacks under the monikers Telebots, Voodoo Bear, and Iron Viking. For many years the group has caused damage and destruction to computer networks worldwide. Some examples include creating the NotPetya ransomware, targeting Ukraine’s power grid, Ministry of Finance, and State Treasury Service in 2015, and launching spear-phishing campaigns against the 2018 PyeongChang Winter Olympic Games.
So SwiftSlicer is just the latest in nearly two decades of online destruction. And it’s not even the first malware the group has launched during the Ukraine invasion. According to The Hacker News, other malware the group has unleashed includes WhisperGate, HermeticWiper, and IsaacWiper.
Protection against wiper malware
Comprehensive and regular backups of important data cannot be understated. While this obviously does not prevent an attack, it will be paramount for getting an organization back up and running if they fall victim. But what about prevention?
According to CPO magazine, one of the biggest issues with wiper malware is that it tends to be challenging to detect and contain. It can be tough for IT professionals to respond to such attacks because wipers often delete all traces of their presence once an attack has been carried out. That’s why multi-layered protection is key to preventing a wiper from wreaking havoc.
One option is a 3-2-1-1 data-protection strategy, which involves maintaining three copies of your data as well as implementing immutable object storage. Two copies of the backup data should be stored on two different media types, while the third should be stored offsite. This will provide you with multiple backup options if a wiper compromises one backup.
In addition to comprehensive backups, Packetlabs recommends implementing endpoint detection and response (EDR) to detect and stop these attacks before they can harm.
Cora is a digital copywriter for SSLs.com. Having eight years of experience in online content creation, she is a versatile writer with an interest in a wide variety of topics, ranging from technology to marketing.