Sandworm APT Deploys New SwiftSlicer Wiper Using Active Directory Group Policy
Sandworm, the Russian-backed APT responsible for NotPetya in 2017, has recently attacked an Ukrainian organization using a new wiper, SwiftSlicer.
Background
On January 27, ESET Research has published a thread on Twitter discussing its analysis of a new wiper malware used in a cyberattack in Ukraine. This new malware, dubbed "SwiftSlicer", was deployed in the target environment using Active Directory (AD) Group Policy. ESET has attributed the attack to Sandworm, an advanced persistent threat (APT) group most notably responsible for the NotPetya attacks in Ukraine in 2017.
#BREAKING On January 25th #ESETResearch discovered a new cyberattack in 🇺🇦 Ukraine. Attackers deployed a new wiper we named #SwiftSlicer using Active Directory Group Policy. The #SwiftSlicer wiper is written in Go programing language. We attribute this attack to #Sandworm. 1/3 pic.twitter.com/pMij9lpU5J
— ESET Research (@ESETresearch) January 27, 2023
Analysis
SwiftSlicer is a wiper malware written in the Go programming language. It was deployed against Ukrainian targets by using Domain Policy Modification: Group Policy Modification. Use of AD group policies indicates that, after gaining access to the target, the threat actor compromised the domain controller. SwiftSlicer then overwrites shadow copies, files in the driver directory "%CSIDL_SYSTEM%/drivers", NT Directory Services folder "%CSIDL_SYSTEM%/Windows/NTDS" and other non-system drives with random data before force rebooting the machine.
Sandworm, which has been operating since at least 2009, has targeted Ukraine in a years-long campaign, launching numerous high-profile attacks against Ukrainian infrastructure and entities, such as attacks on the national power grid in 2015 and 2016 and an attempted attack in 2022. The use of AD group policies is not new for Sandworm. In the first few months of 2022, two similar wiper variants, HermeticWiper and CaddyWiper, were dropped onto devices of target organizations in Ukraine using group policies.
Historical exploitation of vulnerabilities for initial access
Researchers from iSIGHT Partners detailed the Sandworm Team’s use of vulnerabilities as part of spearphishing attacks against targeted entities, including a zero-day in Windows Object Linking and Embedding (OLE), identified as CVE-2014-4114, as well as CVE-2013-3906, a remote code execution vulnerability in the Microsoft Graphics Device Interface (GDI+).
In 2020, the National Security Agency (NSA) issued a cybersecurity advisory detailing the Sandworm Team’s use of CVE-2019-10149, a remote command execution vulnerability in the Exim mail transfer agent.
In 2022, the Computer Emergency Response Team of Ukraine (CERT-UA) warned that Sandworm was observed exploiting CVE-2022-30190, a remote code execution vulnerability in the Microsoft Windows Support Diagnostic Tool (MSDT), also known as Follina.
Identifying affected systems
Sandworm has been known to utilize zero days and spearphishing techniques to infiltrate networks and spread a variety of malware. As demonstrated in this attack, the group often takes advantage of AD in order to infect as many machines as possible. Their techniques are often destructive, as they continue to favor “wiper” type malware to render workstations inoperable, while generally leaving AD intact to maintain their foothold into a victims organization. We highly recommend reviewing your AD environment to focus on misconfigurations that may put your organization at risk. Tenable's Active Directory Security solution helps organizations gain visibility into your complex AD environment, predict what matters to reduce risk, and eliminate attack paths before attackers exploit them.
The Tenable One Exposure Management Platform extends beyond traditional vulnerability management, which concentrates on the discovery and remediation of publicly disclosed Common Vulnerabilities and Exposures (CVEs). A foundational part of any exposure management program, Tenable One includes data about configuration issues, vulnerabilities and attack paths across a spectrum of assets and technologies — including identity solutions (e.g., Active Directory); cloud configurations and deployments; and web applications.
Tenable has coverage for CVEs known to be used by Sandworm. A dynamic and filtered list can be found here.
Get more information
Join Tenable's Security Response Team on the Tenable Community
Learn more about Tenable One, the Exposure Management Platform for the modern attack surface.
Tenable Security Response Team
Tenable Security Response Team
The Tenable Security Response Team (SRT) tracks threat and vulnerability intelligence feeds to ensure our research teams can deliver sensor coverage to our products as quickly as possible. The SRT also works to analyze and assess technical details and writes white papers, blogs and additional communications to ensure stakeholders are fully informed of the latest risks and threats. The SRT provides breakdowns for the latest vulnerabilities on the Tenable blog.Related articles
Frequently Asked Questions About the MITRE CVE Program Expiration and Renewal
Concerns about the future of the MITRE CVE Program continue to circulate. The Tenable Security Response Team has created this FAQ to help provide clarity and context around this developing situation....
Oracle April 2025 Critical Patch Update Addresses 171 CVEs
Oracle addresses 171 CVEs in its second quarterly update of 2025 with 378 patches, including 40 critical updates.BackgroundOn April 15, Oracle released its Critical Patch Update (CPU) for April 2025, the second quarterly update of the year. This CPU contains fixes for 171 unique CVEs in 378 security...
MITRE CVE Program Funding Extended For One Year
MITRE’s CVE program has been an important pillar in cybersecurity for over two decades. While CISA secured funding on April 16 to extend the program for the next year, the lack of clarity surrounding its long-term future creates great uncertainty about how newly discovered vulnerabilities will be ca...
- Exposure Management