The Week in Security: Russia takes aim at Ukraine with Sandworm, the truth about Russia's top search engine

This week: A Russian APT group is using several malware strains to attack entities in Ukraine. Also: A massive Yandex code leak reveals the ranking factors of Russia’s search engines.

This Week’s Top Story

Russia-affiliated APT Sandworm uses multiple malware wiper strains to attack Ukrainian entities

Just shy of Russia’s war on Ukraine reaching its 12 month-mark, ESET has discovered a new malware wiper strain being used by Sandworm, a Russia-affiliated advanced persistent threat (APT) group. The Hacker News reports that the wiper, dubbed NikoWiper, was used in Sandworm’s attack on a Ukrainian energy sector company in October 2022. According to ESET, this attack coincided with Russian missile strikes aimed at Ukraine’s energy infrastructure, suggesting a shared objective behind both attacks.

Malware wiper strains have become a favored attack method for targeted incidents this past year, and several strains have been used to attack Ukraine throughout the timeline of the war. This kind of malware, once installed, deletes all of the files on an impacted system, causing devastating losses for victims, giving it the name “wiper.”

NikoWiper, while unique in its design compared to other strains, is just one of the wipers that Sandworm has been caught using. ESET recently discovered that the group used a Golang-based data wiper dubbed SwiftSlicer on an unnamed Ukrainian entity on Jan 25, 2023. The Hacker News also reports that the APT group has used as many as five different wiper strains (CaddyWiper, ZeroWipe, SDelete, AwfulShred, and BidSwipe) in an attack on Ukrinform, a Ukrainian national news agency. Sandworm has even used Prestige and RansomBogs, two ransomware families, to lock victim data using encryption barriers.

In an interview with The Hacker News, expert Dmitry Bestuzhev shared that the APT group has been “actively working on developing wipers and ransomware families used explicitly for Ukraine.” Given that Sandworm’s most recent attack happened last week, it is likely that cyberattacks by this group will continue as we enter year two of the Russo-Ukrainian war.

News Roundup

Here are the stories we’re paying attention to this week…

Massive Yandex code leak reveals Russian search engine's ranking factors (ArsTechnica)

Nearly 45GB of source code files, allegedly stolen by a former employee, have revealed the underpinnings of Russian tech giant Yandex's many apps and services. It also revealed key ranking factors for Yandex's search engine, the kind almost never revealed in public.

CISA: Federal agencies hacked using legitimate remote desktop tools (BleepingComputer)

CISA, the NSA, and MS-ISAC warned in a joint advisory that attackers are increasingly using legitimate remote monitoring and management (RMM) software for malicious purposes. Also, CISA discovered malicious activity within the networks of multiple federal civilian executive branch (FCEB) agencies using the EINSTEIN intrusion detection system.

Ransomware payments are down (Schneier on Security)

Chainanalysis reports that worldwide ransomware payments were down in 2022: Ransomware attackers extorted at least $456.8 million from victims in 2022, down from $765.6 million the year before.

Researchers uncover packer used by several malware to evade detection for 6 years (The Hacker News)

A shellcode-based packer dubbed TrickGate has been successfully operating without attracting notice for over six years, while enabling threat actors to deploy a wide range of malware such as TrickBot, Emotet, AZORult, Agent Tesla, FormBook, Cerber, Maze, and REvil over the years.

Microsoft Defender can now isolate compromised Linux endpoints (BleepingComputer)

Microsoft announced today that it added device isolation support to Microsoft Defender for Endpoint (MDE) on onboarded Linux devices. Enterprise admins can manually isolate Linux machines enrolled as part of a public preview using the Microsoft 365 Defender portal or via API requests.