Researchers from Slovakian cybersecurity firm ESET have uncovered a new data-wiping malware named "NikoWiper" that targeted an unnamed company in October. The malware is based on SDelete, a Microsoft utility tool used for deleting files. The discovery highlights how Russian military forces and hacking groups continue to share similar goals, despite the lack of an expected "cyber Armageddon" during the war in Ukraine.
The news of the attack also comes amidst renewed concerns over Russian cyberattacks on Western critical infrastructure. Last week, Russian hacktivist group Killnet threatened retaliatory attacks against German organizations after the German government promised to send new tanks to Ukraine. The group also threatened a longer list of Western organizations, including medical organizations across several countries, but has yet to follow through on any of these threats.
We heard from Xage Security CEO Duncan Greatwood on what these recent findings mean for critical infrastructure security and what we should expect in terms of near-term security threats -- in Ukraine and beyond. “This example of wiper malware being targeted at Ukrainian energy infrastructure indicates we have reached a new cybersecurity threat level in 2023 where it may take years of work to restore normal operations for impacted countries and operators. Wipers by design are meant to be destructive, and unlike ransomware where an attacker is essentially holding the data hostage, wipers simply destroy the data and therefore the operations that depend on it.
To put this in context, let's say it's targeted towards a SCADA system for a major utility. Wiping the data would likely stop the supply of power dead and make it impossible to see or change what was happening within the SCADA stacks at substations and across the grid.
Cyber attacks are escalating, and today’s news is another proof point that adversaries, including nation-states, are embracing tactics and methods aimed at causing massive destruction. Ukraine has received assistance from the NSA in the US, and from other allies, to give them the best in traditional critical infrastructure cybersecurity processes. Nonetheless, today’s news is another proof point that cyber attacks can be just as destructive as military operations by nation-states, pushing infrastructure operators to look for new ways to protect themselves against these new threat levels.
What we don't want is a Not Petya-type of situation that happened in 2017 where attacks like these could spill out into the rest of the world and cause widespread critical infrastructure impacts. And this time, hackers are targeting beyond Ukraine, and would be delighted to cause damage to energy infrastructure in Europe and North America - especially if that damage could be positioned as an “accidental” overspill from their Ukraine operations. Learning of these attacks brings awareness, but new methods of response and prevention will be key to combating these challenges.”