Press Center

Malware and antivirus software

News

ESET Research: Russian APT groups, including Sandworm, continue their attacks against Ukraine with wipers and ransomware

Created: 2023-01-31 04:04:22

  • ESET released its latest APT Activity Report, covering the period from September until the end of December 2022 (T3 2022).

  • Russia-aligned APT groups continued to be particularly involved in operations targeting Ukraine, deploying destructive wipers such as NikoWiper. Sandworm launched the wipers in parallel with Russia’s armed forces launching missile strikes targeting energy infrastructure. While ESET is not able to show that those events were coordinated, it suggests that Sandworm and the military forces of Russia have related objectives.

  • Russian APT groups attacked Ukraine with ransomware (Prestige, RansomBoggs).

  • Along with Sandworm, other Russian APT groups such as Callisto, Gamaredon, and Dukes continued their spearphishing campaigns against the Eastern European nation.

  • China-aligned groups, specifically Goblin Panda, started duplicating Mustang Panda's interest in European countries.

  • Iran-aligned groups continued to operate at a high volume.

BRATISLAVA, MONTREAL — January 31, 2023 — ESET Research today released its latest APT Activity Report, which summarizes discoveries about select advanced persistent threat (APT) groups that were observed, investigated, and analyzed by ESET researchers between September and the end of December (T3) 2022. During this period, Russia-aligned APT groups continued to be particularly involved in operations targeting Ukraine, deploying destructive wipers and ransomware. Goblin Panda, a China-aligned group, started to duplicate Mustang Panda’s interest in European countries. Iran-aligned groups continued to operate at a high volume, too.

In Ukraine, ESET detected the infamous Sandworm group using a previously unknown wiper against an energy sector company. Nation-state or state-sponsored actors usually operate APT groups; the described attack happened in October during the same period when Russian armed forces began

launching missile strikes targeting energy infrastructure. While ESET is not able to show that those events were coordinated, it suggests that Sandworm and the Russian military have related objectives.

ESET has named the latest wiper, from a series of previously discovered wipers, NikoWiper. This wiper was used against a company in the energy sector in Ukraine in October 2022. NikoWiper is based on SDelete, a command line utility from Microsoft that is used for securely deleting files.

In addition to data-wiping malware, ESET discovered Sandworm attacks using ransomware as a wiper. In those attacks, although ransomware was used, the final objective was the same as for the wipers: data destruction. Unlike traditional ransomware attacks, the Sandworm operators do not intend to provide a decryption key.

In October 2022, ESET detected Prestige ransomware being deployed against logistics companies in Ukraine and Poland. And in November 2022, ESET discovered new ransomware in Ukraine written in .NET that we named RansomBoggs. ESET Research publicly reported this campaign on its Twitter account. Along with Sandworm, other Russian APT groups such as Callisto and Gamaredon have continued their spearphishing campaigns against Ukraine to steal credentials and install implants.

ESET researchers also detected a MirrorFace spearphishing campaign targeting political entities in Japan and noticed a gradual change in the targeting of some China-aligned groups – Goblin Panda started to duplicate Mustang Panda’s interest in European countries. Last November, ESET discovered a new Goblin Panda backdoor, which we named TurboSlate, in a government organization in the European Union. Mustang Panda has also continued to target European organizations. Last September, we detected a Korplug loader used by Mustang Panda at an organization in Switzerland's energy and engineering sector.

Iran-aligned groups continued their attacks, too – besides Israeli companies, POLONIUM also started targeting the foreign subsidiaries of Israeli companies, and MuddyWater probably compromised a managed security service provider.

North Korea-aligned groups used old exploits to compromise cryptocurrency firms and exchanges in various parts of the world. Interestingly, Konni has expanded the repertoire of languages it uses in its decoy documents to include English, which means it might not be aiming at its usual Russian and South Korean targets.

For more technical information, check the full “ESET APT Activity Report” on WeLiveSecurity. Make sure to follow ESET Research on Twitter for the latest news from ESET Research.

ESET APT Activity Reports contain only a fraction of the cybersecurity intelligence data provided to ESET private APT report customers. ESET prepares in-depth technical reports and frequent activity updates detailing activities of specific APT groups in the form of ESET APT Reports PREMIUM to help organizations tasked with protecting citizens, critical national infrastructure, and high-value assets from criminal and nation-state-directed cyberattacks. More information about ESET APT Reports PREMIUM that deliver high-quality, strategic, actionable, and tactical cybersecurity threat intelligence is available on the ESET Threat Intelligence page.

 




About ESET
ESET develops software solutions that deliver instant, comprehensive protection against evolving computer security threats. ESET pioneered and continues to lead the industry in proactive threat detection. ESET NOD32 Antivirus, its flagship product, consistently achieves the highest accolades in all types of comparative testing and is the foundational product that builds out the ESET product line to include ESET Smart Security. ESET Smart Security is an integrated antivirus, antispyware, antispam and personal firewall solution that combines accuracy, speed and an extremely small system footprint to create the most effective security solution in the industry. Both products have an extremely efficient code base that eliminates the unnecessary large size found in some solutions. This means faster scanning that doesn’t slow down computers or networks. Sold in more than 160 countries, ESET has worldwide production headquarters in Bratislava, SK and worldwide distribution headquarters in San Diego, U.S. ESET also has offices in Bristol, U.K.; Buenos Aires, AR; Prague, CZ; and is globally represented by an extensive partner network. For more information, visit our local office at https://eset.version-2.sg.

About Version 2 Limited
Version 2 Limited is one of the most dynamic IT companies in Asia. The Company develops and distributes IT products for Internet and IP-based networks, including communication systems, Internet software, security, network, and media products. Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 Limited offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which includes Global 1000 enterprises, regional listed companies, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities. For more information, please visit https://www.version-2.com.sg/ or call (65) 6296-4268.

Why ESET?

ESET has over 25 years' experience of helping people to Enjoy Safer Technology. Our software is light on hardware, but hard on malware.

Our Technology

ESET’s award-winning NOD32® Antivirus technology is at the cutting edge of digital security. It’s updated daily to keep you secure.

Free Support

Enjoy your free, industry-leading customer support locally. For technical, sales and marketing enquires dial +65 6296 4268.