Nikowiper

Malware Profile Updated 3 months ago
Download STIX
Preview STIX
NikoWiper is a malicious software (malware) identified as a new data wiper attributed to Sandworm, a state-backed hacker group linked with Russia's Main Directorate of the General Staff of the Armed Forces (GRU). This malware, unique in its design compared to other strains, was used in an attack on the Ukrainian energy sector company in October 2022. Based on the SDelete Microsoft command line utility for securely deleting files, NikoWiper infiltrates systems often without user knowledge, potentially stealing personal information, disrupting operations, or holding data hostage. In April, the same group was suspected of trying to disrupt the Ukrainian power grid using another malware program called Industroyer2. By October, ESET had discovered new variants of both CaddyWiper and HermeticWiper, along with NikoWiper. The prime targets of these Russia-aligned groups remained Ukraine, where new versions of the known wipers RoarBat and NikoWiper were found, along with a newly identified wiper named SharpNikoWiper. Attributing these cyberattacks to Russian cyberoffensive groups may seem obvious due to the pattern of attacks and the victims involved, however, evidence-based attribution remains complex. While the presence of malwares like CaddyWiper, NikoWiper, RansomBoggs, or Prestige ransomware point towards a certain direction, definitive attribution requires rigorous investigation and concrete proof. Therefore, while there are strong suspicions, it is important to approach such attributions with caution.
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
CaddyWiper
3
CaddyWiper is a destructive malware, a type of malicious software designed to exploit and damage computer systems. It was one of several malwares deployed against Ukraine starting in January 2022 by the Russian Advanced Persistent Threat (APT) group, alongside others such as WhisperGate, HermeticWip
Roarbat
1
RoarBat is a malicious software (malware) employed by the Sandworm hacking group, known for its operations against Windows devices. The malware utilizes a BAT script to execute harmful activities, with evidence suggesting that it shares similarities with a cyber attack on Ukrinform, the Ukrainian na
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Wiper
Ransomware
Eset
Ukrainian
Malware
Ukraine
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
Prestige RansomwareUnspecified
2
The Prestige ransomware is a type of malware that had not been observed by Microsoft prior to its deployment. It is a malicious software designed to exploit and damage computer systems, often infiltrating through suspicious downloads, emails, or websites. Once inside a system, it can steal personal
HermeticWiperUnspecified
1
HermeticWiper is a destructive malware that was first disclosed by cybersecurity researchers on February 23, 2022. This malicious software was deployed against organizations in Ukraine, with the intent of destroying computer systems and rendering them inoperable. The malware infiltrates systems thro
Industroyer2Unspecified
1
Industroyer2 is a sophisticated piece of malware designed to target Industrial Control Systems (ICS), developed and deployed by the Russian state-sponsored advanced persistent threat group, Sandworm. The group has been active since 2007 and used Industroyer2 in a significant attack against Ukraine's
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
SandwormUnspecified
2
Sandworm, a threat actor linked to Russia, has been implicated in numerous high-profile cyber attacks. This group's activities have primarily targeted Ukraine, compromising the country's critical infrastructure and telecommunications providers. The Sandworm group is known for its fileless attack met
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Source Document References
Information about the Nikowiper Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
CERT-EU
9 months ago
ESET APT Activity Report Q2–Q3 2023
CSO Online
a year ago
APT groups use ransomware TTPs as cover for intelligence gathering and sabotage
ESET
a year ago
A year of wiper attacks in Ukraine | WeLiveSecurity
ESET
a year ago
ESET Research Podcast: A year of fighting rockets, soldiers, and wipers in Ukraine | WeLiveSecurity
CERT-EU
a year ago
The Week in Security: Russia takes aim at Ukraine with Sandworm, the truth about Russia's top search engine
CERT-EU
a year ago
ESET Research Podcast: A year of fighting rockets, soldiers, and wipers in Ukraine
CERT-EU
a year ago
Russian Sandworm APT expands its arsenal with yet another wiper