Cybersecurity researchers at the Slovak company ESET recently identified a brand-new malware type designed specifically for wiping data. The researchers have named the malware SwiftSlicer and confirmed that it has been designed with the aim of overwriting critical data files used by Windows operating systems.

The all-new malware was encountered when it was deployed in a recent attack on a target based in Ukraine. The strike has now been attributed to the hacking group Sandworm, an outfit affiliated with the General Staff Main Intelligence Directorate (GRU) in Russia. The GRU is part of the Main Centre for Special Technologies (also known as GTsST) at military unit 74455.

Destructive malware identified

While there are few technical details regarding the SwiftSlicer malware at present, researchers based at cybersecurity firm ESET have stated that they discovered the harmful malware in active use during a dedicated cyberattack in Ukraine.

While the name of the victim has not yet been published, the Sandworm hacking group’s recent actions include a targeted data-wiping attack aimed at Ukrinform, the national news agency of Ukraine. However, studying this incident that was encountered last month, ESET observed that the threat operator unleashed a different type of malware known as CaddyWiper, which it had previously seen used in other attacks pointed at targets in Ukraine.

ESET commented that the Sandworm actors deployed SwiftSlicer using Active Directory Group Policy. This protocol allows domain administrators to execute commands and scripts across all devices active in the Windows network. Additionally, the researchers said that SwiftSlicer was launched to eradicate shadow copies and overwrite crucial files located in the Windows directory. They specifically mentioned the Active Directory database and drivers as targeted areas for attack.

The nature of this specific targeting approach suggests that the new wiper malware is not only designed to delete files, but also to bring Windows domains down in their entirety.

SwiftSlicer in action

As a wiper malware, SwiftSlicer is designed to overwrite data files by employing 4096-byte blocks filled with bytes that are generated randomly. According to researchers at ESET, after completion of the data destruction task, the wiper malware then reboots the network systems.

ESET’s team discovered that SwiftSlicer was developed by the state-backed hacking gang using the programming language Golang. The language is well-known for being a go-to option for countless threat operators due to its versatility and the way that it can easily be compiled for all types of hardware and platforms.

While the malicious software was only recently included in the database of Virus Total (submitted on January 26), SwiftSlicer is already detected by over half of the active antivirus engines currently listed in on the security scanning platform.

Finally, a recent report issued by the Ukrainian Computer Emergency Response Team (CERT-UA) states that the Sandworm hacking group has also tried to deploy five different data-destruction utilities against the network of the Ukrinform news agency. These include CaddyWiper, AwfulShred, ZeroWipe, SDelete and BidSwipe. All of the malware was distributed using the same approach as the recent SwiftSlicer attack.