In the first half of this year, researchers observed a rise in the use of wiper malware in tandem with the Russia-Ukraine conflict. However, those wipers haven't stayed in one place; they're spreading worldwide, proving that cybercrime has no borders.
Not only are the numbers increasing; but there's also an increase in variety and sophistication. These wiper variants are growingly aimed at critical infrastructure.
The war in Ukraine has undoubtedly fueled significant growth in the use of wiper malware; FortiGuard Labs' research identified at least seven new wiper variants used in campaigns targeting government, military, and private organizations in the first half of 2022.
That's nearly as many wiper variants as have been publicly detected since 2012 when bad actors used the Shamoon wiper to attack a Saudi oil company. These variants include the following variants:
• CaddyWiper: Bad actors used this variant to wiper data and partition information from drives on systems belonging to a select number of Ukrainian organizations shortly after the war began.
• WhisperGate: Discovered by Microsoft in mid-January being used to target organizations in Ukraine.
• HermeticWiper: Noted in February by SentinelLabs, this tool for triggering boot failures was also found targeting Ukrainian organizations
• IsaacWiper: A malware tool for overwriting data in disk drives and attached storage to render them inoperable.
We also discovered three variants aimed at Ukrainian businesses and organizations: WhisperKill, Double Zero, and AcidRain.
Wipers without borders
The wiper ware campaign is open to more than Ukraine. Since the beginning of the conflict in February, we've detected more wiper malware outside Ukraine than inside. Wiper activity has been detected in 24 countries other than Ukraine.
AcidRain, utilized to target a Ukrainian satellite broadband service provider, was also used in a March attack that knocked out several thousand German wind turbines. What does this mean? It demonstrates that such attacks can cross borders, whether they are between countries or between IT and OT.
Enterprise security teams must be prepared. While the number of detected wipers has been lower than for other types of cyberattacks thus far, the nature of wipers and how they are used make them extremely dangerous. Wiper malware is used by bad actors for a variety of purposes, including financial gain, sabotage, evidence destruction, and cyber war. Shamoon, the original wiper ware, demonstrated clearly how wipers can be used as cyber sabotage weapons - and how the same wiper can rear its ugly head years later.
Variants such as GermanWiper and NotPetya have demonstrated how wipers can be used to extort money from victims, such as "pretending" to be ransomware. And, as you may recall, NotPetya began as a cyber-attack against Ukrainian organizations but quickly spread to become one of the most devastating cyber-attacks of all time.
When it comes to wipers, one factor to think about is whether or not they self-promote. If it's a worm, like NotPetya, it can spread to other machines once released. And once that occurs, it is uncontrollable.
CISA issued a warning about the direct threat wipers pose in February, recommending that "organizations increase vigilance and evaluate their capabilities encompassing wiper attack planning, preparation, detection, and response."
One of the most effective defensive measures for wiper malware is integrated, AI and ML-driven, advanced detection and response capabilities operated by actionable threat intelligence to protect across all edges of hybrid networks.
It can, for example, keep the impact of an attack to a single segment of the network and limit lateral movement.
Deception technology, a strategy in which cyber attackers have diverted away from an enterprise's true assets and instead directed toward a decoy or a trap, should also be considered by organizations. The decoy imitates legitimate servers, applications, and data in order to fool the bad actor into thinking they have infiltrated the real thing.
Furthermore, services like a digital risk protection service (DRPS) can assist with external surface threat assessments, security remediation, and gaining contextual insights on imminent threats.
Don't skimp on incident response: If your company is infected with wiper malware, the speed and quality of incident response are critical. It could determine the outcome of the attack. The importance of incident response and planning cannot be overstated. This should include defined processes for business continuity without IT, as well as a plan for how to restore from backups and handle incident response.
In the future
Wiper ware can and is being used to degrade and disrupt critical infrastructure, as evidenced by the attacks on Ukraine and others. This is done as part of larger cyber warfare operations. Another common technique witnessed is wiper malware samples "pretending" to be ransomware, employing many of the same tactics, techniques, and procedures as ransomware but without the ability to recover files.
The bottom line is that wiper ware is being used for both financial gain and cyber sabotage - and the results can be disastrous.
