Sandworm APT Deploys New SwiftSlicer Wiper Using Active Directory Group Policy

Sandworm APT Deploys New SwiftSlicer Wiper Using Active Directory Group Policy

Sandworm, the Russian-backed APT responsible for NotPetya in 2017, has recently attacked an Ukrainian organization using a new wiper, SwiftSlicer.


On January 27, ESET Research has published a thread on Twitter discussing its analysis of a new wiper malware used in a cyberattack in Ukraine. This new malware, dubbed “SwiftSlicer”, was deployed in the target environment using Active Directory (AD) Group Policy. ESET has attributed the attack to Sandworm, an advanced persistent threat (APT) group most notably responsible for the NotPetya attacks in Ukraine in 2017.

#BREAKING On January 25th #ESETResearch discovered a new cyberattack in 🇺🇦 Ukraine. Attackers deployed a new wiper we named #SwiftSlicer using Active Directory Group Policy. The #SwiftSlicer wiper is written in Go programing language. We attribute this attack to #Sandworm. 1/3

— ESET Research (@ESETresearch) January 27, 2023


SwiftSlicer is a wiper malware written in the Go programming language. It was deployed against Ukrainian targets by using Domain Policy Modification: Group Policy Modification. Use of AD group policies indicates that, after gaining access to the target, the threat actor compromised the domain controller. SwiftSlicer then overwrites shadow copies, files in the driver directory “%CSIDL_SYSTEM%/drivers”, NT Directory Services folder “%CSIDL_SYSTEM%/Windows/NTDS” and other non-system drives with random data before force rebooting the machine.

Sandworm, which has been operating since at least 2009, has targeted Ukraine in a years-long campaign, launching numerous high-profile attacks against Ukrainian infrastructure and entities, such as attacks on the national power grid in 2015 and 2016 and an attempted attack in 2022. The use of AD group policies is not new for Sandworm. In the first few months of 2022, two similar wiper variants, HermeticWiper and CaddyWiper, were dropped onto devices of target organizations in Ukraine using group policies.

Historical exploitation of vulnerabilities for initial access

Researchers from iSIGHT Partners detailed the Sandworm Team’s use of vulnerabilities as part of spearphishing attacks against targeted entities, including a zero-day in Windows Object Linking and Embedding (OLE), identified as CVE-2014-4114, as well as CVE-2013-3906, a remote code execution vulnerability in the Microsoft Graphics Device Interface (GDI+).

In 2020, the National Security Agency (NSA) issued a cybersecurity advisory detailing the Sandworm Team’s use of CVE-2019-10149, a remote command execution vulnerability in the Exim mail transfer agent.

In 2022, the Computer Emergency Response Team of Ukraine (CERT-UA) warned that Sandworm was observed exploiting CVE-2022-30190, a remote code execution vulnerability in the Microsoft Windows Support Diagnostic Tool (MSDT), also known as Follina.

Identifying affected systems

Sandworm has been known to utilize zero days and spearphishing techniques to infiltrate networks and spread a variety of malware. As demonstrated in this attack, the group often takes advantage of AD in order to infect as many machines as possible. Their techniques are often destructive, as they continue to favor “wiper” type malware to render workstations inoperable, while generally leaving AD intact to maintain their foothold into a victims organization.

The Tenable One Exposure Management Platform extends beyond traditional vulnerability management, which concentrates on the discovery and remediation of publicly disclosed Common Vulnerabilities and Exposures (CVEs). A foundational part of any exposure management program, Tenable One includes data about configuration issues, vulnerabilities and attack paths across a spectrum of assets and technologies — including identity solutions (e.g., Active Directory); cloud configurations and deployments; and web applications.

Tenable has coverage for CVEs known to be used by Sandworm. A dynamic and filtered list can be found here.

Get more information

Sandworm Team Overview

Join Tenable’s Security Response Team on the Tenable Community

Learn more about Tenable One, the Exposure Management Platform for the modern attack surface.

   Cyber Exposure Alerts 


More To Explore

We can help improve your Business

Ensure your Organization Assets are well  protected in front of the Cyber Attacks

Delivery Workflow

Register for Free and get your test done withn 24 to 48 hours

See Workflow

Sample Report

Here is a sample report of a Security Testing Engagement

See Sample Report PDF

Work Request

Order your security test and Get Your Report

Get Your Test Report
Generated by Feedzy

1. Client Onboarding

Access to all of Cyber Legion's services is provided through the Web Secure Client Portal. To create a Free account, you can sign up through the portal, or contact the Cyber Legion team and they will set up an account for you.

2. NDA , Agreements & Digital Signature

The integration of Digital Signature in our Web Client Portal allows us to legally sign all necessary documents and agreements, enabling us to carry out security assessments on targeted systems.

3. Submit Work Request

Our pricing structure is adaptable to meet the needs of all clients. By filling out the Work Request Form, you can select from pre-existing services or request a personalized proposal.

The Cyber Legion team will acknowledge your order, set up a project in your account, and proceed with the testing and delivery.

4. Security Testing & Report

We meet agreed upon SLAs and follow security testing framework checklists. Based on our commitment, our team of engineers will utilize all of our tools, automation, and testing capabilities to achieve the objectives.

Within the agreed upon timeframe, you will receive a report on the security test that was conducted, including the results, recommendations, and references for addressing any identified issues.

5. Retesting & Validation of Remediation

We not only identify potential threats, risks, and vulnerabilities, but also provide detailed recommendations for resolution. To ensure complete remediation, we offer complimentary retesting and a range of ongoing security testing options for continued vulnerability detection and verification.