HQ/EMEAFind out how we can help your business
The Russian-sponsored threat group, Sandworm, has deployed another malware strain called NikoWiper as part of their cybercriminal campaign against Ukraine. This cybercrime operation has continued up to this date after it started around October last year, targeting the Ukrainian energy sector.
Based on reports, the new wiper is based on a command-line utility tool from Microsoft called SDelete. The name gives its purpose as the actors use this malware to ensure the deletion of a targeted file.
Researchers explained that the campaigns were related to the missile strikes launched by the Russian military aimed at the energy infrastructure of Ukraine.
The researchers identified the NikoWiper shortly after the SwiftSlicer emerged and caused damage to Ukrainian entities.
The Sandworm group has actively bombarded Ukraine with different wiper malware strains, such as NikoWiper and SwiftSlicer, released by the group days apart. The Golang-based SwiftSlicer malware was deployed by its operators last January 25, and NikoWiper was identified earlier this week.
This APT group, backed by the Russian military intelligence agency (GRU), has also been involved in several attacks, such as the recent campaign against the national news agency of Ukraine called Ukrinform.
Last month, CERT-UA spotted five wiper malware variants that the Sandworm group deployed to infect its Ukrainian targets. Three malware variants could target Windows operating systems, while the actors create two to target FreeBSD and Linux systems.
Experts claimed that the launch of the new Russian wiper implies that the Sandworm group has continued to test their wipers in two different instances to know if it could cause irreversible damage to organisations in Ukraine.
The Sandworm APT group have also employed some ransomware families, such as RansomBoggs and Prestige, aside from weaponising SDelete. The group used these ransomware strains to keep their targeted data behind encryption barriers that do not include ways to recover them.
These recent incidents and moves from the Russian-backed cybercriminal groups indicate that they obtain harmful malware strains that could significantly damage any sector they wish to attack.
