Nikowiper

Malware updated 4 months ago (2024-05-04T20:08:18.092Z)

Download STIX

Preview STIX

NikoWiper is a malicious software (malware) identified as a new data wiper attributed to Sandworm, a state-backed hacker group linked with Russia's Main Directorate of the General Staff of the Armed Forces (GRU). This malware, unique in its design compared to other strains, was used in an attack on the Ukrainian energy sector company in October 2022. Based on the SDelete Microsoft command line utility for securely deleting files, NikoWiper infiltrates systems often without user knowledge, potentially stealing personal information, disrupting operations, or holding data hostage. In April, the same group was suspected of trying to disrupt the Ukrainian power grid using another malware program called Industroyer2. By October, ESET had discovered new variants of both CaddyWiper and HermeticWiper, along with NikoWiper. The prime targets of these Russia-aligned groups remained Ukraine, where new versions of the known wipers RoarBat and NikoWiper were found, along with a newly identified wiper named SharpNikoWiper. Attributing these cyberattacks to Russian cyberoffensive groups may seem obvious due to the pattern of attacks and the victims involved, however, evidence-based attribution remains complex. While the presence of malwares like CaddyWiper, NikoWiper, RansomBoggs, or Prestige ransomware point towards a certain direction, definitive attribution requires rigorous investigation and concrete proof. Therefore, while there are strong suspicions, it is important to approach such attributions with caution.

Description last updated: 2024-05-04T16:48:33.659Z

What's your take? (Question 1 of 5)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.

ID	Votes	Profile Description
CaddyWiper	3	CaddyWiper is a destructive malware, a type of malicious software designed to exploit and damage computer systems. It was one of several malwares deployed against Ukraine starting in January 2022 by the Russian Advanced Persistent Threat (APT) group, alongside others such as WhisperGate, HermeticWip

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Wiper

Ransomware

Malware

Analyst Notes & Discussion

Be the first to leave your mark here! Log in to share your views and vote.

Associated Malware

To see the evidence that has resulted in these malware associations, create a free account

ID	Type	Votes	Profile Description
Prestige Ransomware	Unspecified	2	The Prestige ransomware is a type of malware that had not been observed by Microsoft prior to its deployment. It is a malicious software designed to exploit and damage computer systems, often infiltrating through suspicious downloads, emails, or websites. Once inside a system, it can steal personal

Associated Threat Actors

To see the evidence that has resulted in these threatActor associations, create a free account

ID	Type	Votes	Profile Description
Sandworm	Unspecified	3	Sandworm, a Russia-linked threat actor group, has been implicated in a series of significant cyber-attacks targeting Ukraine's infrastructure. The group successfully compromised 11 Ukrainian telecommunication providers, demonstrating their extensive capabilities and the broad reach of their operatio

Source Document References

Information about the Nikowiper Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source Link	CreatedAt	Title
BankInfoSecurity	8 months ago	Russian Sandworm Group Spied on Kyivstar Networks for Months
CERT-EU	10 months ago	ESET APT Activity Report Q2–Q3 2023
CSO Online	2 years ago	APT groups use ransomware TTPs as cover for intelligence gathering and sabotage
ESET	2 years ago	A year of wiper attacks in Ukraine \| WeLiveSecurity
ESET	a year ago	ESET Research Podcast: A year of fighting rockets, soldiers, and wipers in Ukraine \| WeLiveSecurity
CERT-EU	2 years ago	The Week in Security: Russia takes aim at Ukraine with Sandworm, the truth about Russia's top search engine
CERT-EU	a year ago	ESET Research Podcast: A year of fighting rockets, soldiers, and wipers in Ukraine
CERT-EU	2 years ago	Russian Sandworm APT expands its arsenal with yet another wiper