Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

Wipers Are Widening: Here’s Why That Matters

In the first half of this year, researchers saw a rising trend of wiper malware being deployed in parallel with the Russia-Ukraine war. However, those wipers haven’t stayed in one place – they’re emerging globally, which underscores the fact that cybercrime knows no borders. 

In the first half of this year, researchers saw a rising trend of wiper malware being deployed in parallel with the Russia-Ukraine war. However, those wipers haven’t stayed in one place – they’re emerging globally, which underscores the fact that cybercrime knows no borders. 

It’s not just the numbers that are growing; we’re also seeing a rise in variety and sophistication. These wiper varieties are also increasingly targeting critical infrastructure.

Awash with wipers 

The war in Ukraine has undoubtedly fueled a major uptick in the use of wiper malware; FortiGuard Labs research identified at least seven new wiper variants in the first half of 2022 that were used in campaigns targeting government, military and private organizations. That’s almost as many wiper variants that have been publicly detected in total since 2012, when bad actors used the Shamoon wiper to attack a Saudi Arabian oil company.

These variants include the following variants:

• CaddyWiper: Bad actors used this variant to wiper data and partition information from drives on systems belonging to a select number of Ukrainian organizations shortly after the war began. 

• WhisperGate: Discovered by Microsoft in mid-January being used to target organizations in Ukraine.

• HermeticWiper: Noted in February by SentinelLabs, this tool for triggering boot failures was also found targeting Ukrainian organizations

• IsaacWiper: A malware tool for overwriting data in disk drives and attached storage to render them inoperable.

We also observed three other variants targeting Ukrainian companies and organizations: WhisperKill, Double Zero and AcidRain.

Wipers without borders

The wiper ware action isn’t limited to Ukraine. We’ve detected more wiper malware outside Ukraine than within the country since the war began in February. We’ve detected wiper activity in 24 counties other than Ukraine. 

For example, AcidRain, which was used to target a Ukrainian satellite broadband service provider, also was used in an attack that knocked several thousand German wind turbines offline in March. What does this signify? It shows that attacks like these can jump boundaries – whether those borders are between countries or between IT and OT.

Enterprise security teams need to prepare themselves. While the number of detections has been lower so far than other types of cyberattacks, the very nature of wipers and how they’re used makes them very dangerous. Bad actors use wiper malware for everything from financial gain to sabotage, destruction of evidence and cyber war. The original wiper ware, Shamoon, clearly showed how wipers can be used as weapons of cyber sabotage – and it also showed how the same wiper can rear its ugly head even years after its first experience. 

Variants like GermanWiper and NotPetya have revealed the ways wipers can be used to try to extort money from victims – such as by “pretending” to be ransomware. And NotPetya, as you probably recall, originally targeted Ukrainian organizations but quickly spread to become one of the most devastating cyber-attacks of all time. 

Don’t get wiped out by wiper ware

One thing to consider with wipers is whether or not they are self-propogating. If it’s a worm, like NotPetya, it can self-propagate to other machines once it’s let loose. And once that happens, it can’t be controlled.

In February, CISA released a warning of the direct threat wipers pose, and recommended that “organizations increase vigilance and evaluate their capabilities encompassing planning, preparation, detection, and response for wiper attacks.”

To minimize the impact of wiper malware, one of the most helpful countermeasures for organizations is integrated, AI and ML-driven, advanced detection and response capabilities powered by actionable threat intelligence to protect across all edges of hybrid networks.

Network segmentation is another countermeasure, one that can be used on multiple levels. It can keep the impact of an attack to just one segment of the network, for example and limit lateral movement. 

Organizations should also consider deception technology, a strategy in which cyber attackers are lured away from an enterprise’s true assets and instead, diverted toward a decoy or a trap. The decoy mimics legitimate servers, applications and data to trick the bad actor into thinking they’ve infiltrated the real thing. 

In addition, services such as a digital risk protection service (DRPS) can help with external surface threat assessments, remediate security issues, and gain contextual insights on imminent threats.

Don’t scrimp on incident response: In the event that your organization is hit with wiper malware, the speed and quality of incident response is critical. The outcome of the attack can depend on it. Incident response and the plans for it can’t be overestimated in terms of importance. This should include defined processes for business continuity without IT and a plan for how restoration from backups will be done and how to handle incident response. 

Looking ahead

What we’ve seen with the attacks on Ukraine – and others – is that wiper ware can be and is being used to degrade and disrupt critical infrastructure. This is being done as part of larger cyber warfare efforts. Another common tactic we’re seeing is that wiper malware samples sometimes “pretend” to be ransomware – leveraging many of the same tactics, techniques and procedures that ransomware uses but without the possibility of recovering the files. 

The net takeaway here is that wiper ware is being used for both financial gain and cyber sabotage – and it can have very devastating consequences. And just because we’re seeing comparatively lower detections than other types of cyberattacks, don’t fall into the trap of thinking it can’t affect you.

Written By

Derek Manky is Chief Security Strategist & VP Global Threat Intelligence at FortiGuard Labs. Derek formulates security strategy with more than 15 years of cyber security experience behind him. His ultimate goal to make a positive impact in the global war on cybercrime. Manky provides thought leadership to industry, and has presented research and strategy worldwide at premier security conferences. As a cybersecurity expert, his work includes meetings with leading political figures and key policy stakeholders, including law enforcement. He is actively involved with several global threat intelligence initiatives including NATO NICP, INTERPOL Expert Working Group, the Cyber Threat Alliance (CTA) working committee and FIRST – all in effort to shape the future of actionable threat intelligence and proactive security strategy.

Click to comment

Expert Insights

Related Content

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.

Cybercrime

CISA, NSA, and MS-ISAC issued an alert on the malicious use of RMM software to steal money from bank accounts.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Cybercrime

Chinese threat actor DragonSpark has been using the SparkRAT open source backdoor in attacks targeting East Asian organizations.

Cyberwarfare

Russia-linked cyberespionage group APT29 has been observed using embassy-themed lures and the GraphicalNeutrino malware in recent attacks.

Cybercrime

No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.

Malware & Threats

Security researchers are warning of a new wave of malicious NPM and PyPI packages designed to steal user information and download additional payloads.

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.