New Report Reveals NikoWiper Malware That Targeted Ukraine Energy Sector
The Russia-affiliated Sandworm used yet another wiper malware strain dubbed NikoWiper as part of an attack that took place in October 2022 targeting an energy sector company in Ukraine.
“The NikoWiper is based on SDelete, a command line utility from Microsoft that is used for securely deleting files,” cybersecurity company ESET revealed in its latest APT Activity Report shared with The Hacker News.
The Slovak cybersecurity firm said the attacks coincided with missile strikes orchestrated by the Russian armed forces aimed at the Ukrainian energy infrastructure, suggesting overlaps in objectives.
The disclosure comes merely days after ESET attributed Sandworm to a Golang-based data wiper known as SwiftSlicer that was deployed against an unnamed Ukrainian entity on January 25, 2023.
The advanced persistent threat (APT) group linked to Russia’s foreign military intelligence agency GRU has also been implicated in a partially successful attack targeting national news agency Ukrinform, deploying as many as five different wipers on compromised machines.
The Computer Emergency Response Team of Ukraine (CERT-UA) identified the five wiper variants as CaddyWiper, ZeroWipe, SDelete, AwfulShred, and BidSwipe. The first three of these targeted Windows systems, while AwfulShred and BidSwipe took aim at Linux and FreeBSD systems.
The use of SDelete is notable, as it suggests that Sandworm has been experimenting with the utility as a wiper in at least two different instances to cause irrevocable damage to the targeted organizations in Ukraine.
That said, Robert Lipovsky, senior malware researcher for ESET, told The Hacker News that “NikoWiper is a different malware.”
Besides weaponizing SDelete, Sandworm’s recent campaigns have also leveraged bespoke ransomware families, including Prestige and RansomBoggs, to lock victim data behind encryption barriers without any option to recover them.
The efforts are the latest indication that the use of destructive wiper malware is on the rise and is being increasingly adopted as a cyber weapon of choice among Russian hacking crews.
“Wipers have not been used widely as they’re targeted weapons,” BlackBerry’s Dmitry Bestuzhev told The Hacker News in a statement. “Sandworm has been actively working on developing wipers and ransomware families used explicitly for Ukraine.”
It’s not just Sandworm, as other Russian state-sponsored outfits such as APT29, Callisto, and Gamaredon have engaged in parallel efforts to cripple Ukrainian infrastructure via spear-phishing campaigns designed to facilitate backdoor access and credential theft.
According to Recorded Future, which tracks APT29 (aka Nobelium) under the moniker BlueBravo, the APT has been connected to new compromised infrastructure that’s likely employed as a lure to deliver a malware loader codenamed GraphicalNeutrino.
The loader, whose main function is to deliver follow-on malware, abuses Notion’s API for command-and-control (C2) communications as well as the platform’s database feature to store victim information and stage payloads for download.
“Any country with a nexus to the Ukraine crisis, particularly those with key geopolitical, economic, or military relationships with Russia or Ukraine, are at increased risk of targeting,” the company said in a technical report published last week.
The shift to Notion, a legitimate note-taking application, underscores APT29’s “broadening but continued use” of popular software services like Dropbox, Google Drive, and Trello to blend malware traffic and circumvent detection.
Although no second-stage malware was detected, ESET – which also found a sample of the malware in October 2022 – theorized it was “aimed at fetching and executing Cobalt Strike.”
The findings also come close on the heels of Russia stating that it was the target of the West’s “coordinated aggression” in 2022 and that it faced “unprecedented external cyber attacks” from “intelligence agencies, transnational IT corporations, and hacktivists.”
As the Russo-Ukrainian war officially enters its twelfth month, it remains to be seen how the conflict evolves forward in the cyber realm.
“Over the past year we have seen waves of increased activity – such as in the spring after the invasion, in the fall and quieter months over the summer – but overall there’s been a nearly constant stream of attacks,” Lipovsky said. “So one thing that we can be sure about is that we will be seeing more cyber attacks.”