In recent years, the world has witnessed a rise in state-sponsored cyberattacks aimed at critical infrastructure, causing widespread disruption and destruction. One of the countries that has been hit the hardest by these wiper attacks is Ukraine, which has been facing a relentless wave of cyberattacks from a Russian-backed advanced persistent threat (APT) group known as Sandworm. The latest in a long line of Sandworm’s attacks is the deployment of the SwiftSlicer wiper malware, which has once again put Ukrainian critical infrastructure at risk.
The Sandworm Team’s SwiftSlicer Operation
Ukraine has been a prime target of Sandworm since the group’s inception in 2009. The APT group has launched numerous high-profile attacks against Ukrainian infrastructure, including the national power grid in 2015 and 2016 and an attempted ransomware attack in 2022. The latest attack, which occurred on January 27, involved the deployment of SwiftSlicer, a wiper malware written in the Go programming language, discovered by ESET researchers. SwiftSlicer was deployed using Active Directory (AD) Group Policy, which allowed the threat actor to overwrite shadow copies and cause widespread destruction.
One of the most concerning aspects of the SwiftSlicer attack is the use of AD group policies, which indicates that the threat actor was able to compromise the domain controller after gaining access to the target. This is not the first time Sandworm has used AD group policies, as the group also deployed two similar wiper variants, HermeticWiper and CaddyWiper, in the first few months of 2022. These attacks demonstrate Sandworm’s increasing willingness to cause widespread destruction and disrupt critical infrastructure, which puts the security and stability of Ukraine at risk.
Cyber goes geopolitical
It’s not just the Ukrainian government that is at risk from these attacks. Private companies and organizations that provide essential services to the Ukrainian people, such as hospitals, banks, and utility providers, are also at risk. These organizations are the backbone of Ukraine’s critical infrastructure, and their disruption could have far-reaching consequences for the Ukrainian people.
The deployment of SwiftSlicer is also significant because it demonstrates the growing trend of state-sponsored cyberattacks against critical infrastructure, fueled by the geopolitical context. The rise in these types of attacks has made it clear that the consequences of cyber warfare are far-reaching and dangerous. The impact of these attacks can be devastating, causing widespread disruption and destruction and putting the lives and well-being of people at risk.
The deployment of SwiftSlicer is a stark reminder of the dangers posed by state-sponsored cyberattacks against critical infrastructure. The use of AD group policies by Sandworm shows that the group is becoming increasingly confident in its ability to cause widespread disruption and destruction. It’s essential that governments and organizations around the world take the threat of cyber warfare seriously and invest in the necessary measures to protect their critical infrastructure. Failure to do so could have devastating consequences for the people they serve.