The war between Ukraine and Russia worries everyone, including me. In my opinion, it only just started and I think that this might turn into a long-running conflict. This is the first time that Cyber Warfare plays an important part in a full-scale war and the use of “Wipers” is one of the most powerful tools.
In this post, I will explain how “Wipers” work and the damage they can do to organizations, including critical infrastructure (hospitals, utility companies, traffic institutions, etc.).
What is Wiper malware?
A “Wiper” is a piece of malware that is comparable with Ransomware. The biggest difference though is that ransomware only encrypts data and focuses on getting ransom after which encryption is cleared.
A Wiper completely destroys all data in its path. A Wiper can be seen as the digital version of a hurricane: it wipes away everything that comes in its path. There is only one purpose of this type of malware: sabotage and all-out destruction for its victims. Its primary goal is not to steal money or sell information but destruction itself.
Wipers can be used to send a political message or to attempt to cover up tracks after data exfiltration occurs.
It’s the perfect weapon for Cyber Warfare during a full-scale war and that is exactly what is happening now.
Wiper Malware origins
Wiper malware first appeared in the Middle East in 2012 and a year later in South Korea in 2013. This started a chain of incidents in which a few high-profile companies were completely paralyzed by this malware once the hackers decided to pull the trigger.
One of the first big Wipers, used for Cyber Warfare was Shamoon (also called W43. DistTrack). Shamoon attacked the Saudi oil company Aramco and some other Middle Eastern oil companies in the period between 2012 and 2016. During this period, over 30.000 hard drives were destroyed, using a direct drive access driver that was called RawDisk. On some of the computer screens, it displayed the image of a burning American flag, condemning the alliance between the United States and Saudi Arabia.
A group named “Cutting Sword of Justice” claimed responsibility for the attack but after backtracking the activities of the group it turned out that the state-sponsored Iranian hacking group APT33 was responsible for the attack.
The attack was very well-staged and was initiated by a spearphishing email attack that a Saudi Aramco IT employee opened, giving the group entry into the network of the company mid-2012. Many attacks start with a spearphishing email attack which means most of the time that these attacks occur, human action has to trigger the attack. This is the reason why awareness is key in order to prevent this kind of attack. After the employee clicked the malware, the gate to the Aramco network was opened and it was open season for the hackers.
How Shamoon worked
After access was granted, the hackers expanded their presence in the Aramco network by spreading malicious code to other computers and servers. They used a computer inside the company’s network as a proxy for this, issuing instructions to it and relaying those instructions to other machines across Aramco. Once it got onto a targeted computer, the hackers’ code was loaded into a folder that was labeled “Shamoon”. Shamoon’s devious (and in my opinion brilliant) code consisted of three components:
(1)The Dropper
The first step of the code was copying itself to various places on the computer and the Aramco network. The code also configured itself to run in the future whenever the targeted computer started up. It is a common technique for achieving “persistence”: the capacity to remain on a targeted system despite actions taken by users, such as rebooting your machine or trying to delete malicious code. After the foothold was established the code deployed two additional components.
(2)The Wiper
The second component wiped the files from the target system, once activated by the attackers. It deleted an existing part of the computer system that is known as the disk drive. The disk drive helps to manage the reading and writing of files on the hard drive.
After deletion, the code replaced the disk drive with its own prepared copy: RawDisk. After that, the wiping code looked for folders that contained important files, like documents, downloads, pictures, music, and videos: more or less everything that a user might value. After the code found these folders, the wiping code overwrote their contents. This was very clever: it’s far more effective than deleting the data. Overwriting makes recovering the original contents much harder.
After this was done, the code then moved to wipe a key component that is known as the master boot record. The master boot record is vital for a computer’s hard drive and it contains information about how to store files and what the computer should do when it starts up. Without the guidance of the master boot, it’s almost impossible for the machine to function properly. This was exactly the intention of the hackers.
(3)The Reporter
The third component of the malicious code, the Reporter, collected data on the computer’s IP address and the number of files overwritten during the attack. The Reporter was there as a form of reconnaissance: the Iranian hackers wanted to know exactly how much damage their operation did. The Reporter did exactly that: it gave them almost real-time insight with an insane level of precision.
HermeticWiper and its role in the Ukraine-Russian war
On the 23rd of February 2022, one day before the Russian land invasion of Ukraine began, Ukrainian organizations (both government and private) were targeted by disk wiping malware, comparable to Shadowmoon: HermeticWiper. Like Shadowmoon, HermeticWiper was designed to wipe a computer’s hard disk data and destroy the Master Boot Record and its partitions, making any affected machines inoperable.
It is very likely that HermeticWiper was prepared a few months in advance, giving the attackers access to the victims’ networks and infrastructure starting in November 2021. From that period onwards the hackers started to exploit known vulnerabilities in Microsoft Exchange and Apache Tomcat servers.
Like Shadowmoon, the attack was initiated by spearphishing email attacks that open the door for the hackers to the network of an organization in case employees within the targeted organization open the email.
After entering the system, access credentials were stolen, side movements were done and web shells were initiated. In other words: hackers ran loose all over the place of the infected organizations, hitting the “kill-switch” on the 23rd of February 2022. This disabled the critical systems of the many organizations the hackers had been infiltrating since November 2021. A key strategy in this kind of Cyber Warfare is to create chaos and disrupt daily life.
Personally, I think the attacks only had a limited effect. The reason for this is that Ukraine has been a regular target of these kinds of attacks and has adapted accordingly. These attacks would have had far more impact on other nations, not used to these kinds of cyberattacks.
Defending your organization against (Wiper) Malware
Fortunately, there are ways to defend yourself against Wiper Malware:
Update Malware Protection
Make sure that your malware security protection is always up-to-date. Malware threats are ever-evolving and change every day. In order to make sure this happens, you can configure your anti-malware software to update signatures daily. In case you run servers, additional protection is required: make sure to set up hourly updates for this. Also, make sure that your firewalls and other malware protection software are updated every 15 minutes if possible.
Create User Awareness
Time and time again, the user is the weakest link. Properly informed users are the best form of defense against cyberattacks. Educate your staff on phishing scams, URL anomalies, odd attachments, and other attack vectors and set up a platform of continuous awareness training in combination with simulated attacks.
Create regular backups
A powerful Disaster Recovery Plan (DRP) can minimize both data loss and downtime. Setting up robust backups, data de-duplication, and a virtual desktop infrastructure can recover your data even after a major wiper or any other form of malware attack has been wreaking havoc through your system.
Patching Operating Systems and Software
Most Operating Systems (OS) updates are security-related. These patches provide the required protection against identified vulnerabilities after an OS or software release. Because of this, it is important to keep applying the patches once they become available. A strict patch management policy is indispensable in this. As an IT department, you want to propagate stability and professionalism to the organization. You have to set an example for others in the organization which means that you don’t want to get attacked by an exploit that already had a patch available but penetrated the systems of your organization anyway because you failed to update the systems.
Monitor your system for changes
Wiper malware changes your system. Monitoring for changes can significantly enhance detection efforts. Using special software can keep an eye out for changes, alerting system admins when they are spotted. Things you can look out for:
- Creation and startup of a service named brmgmtsvc also called “Backup and Restore Management”
- Creation of a file share to C:\Windows or wherever the %SystemRoot% environment variable points
- A file named igfxtrayex.exe being created or modified
- Activation of a web server on port 80 on machines where no web server should be running
- Network traffic destined for 88.53.215.64, 217.96.33.164, or 203.131.222.102
Final thoughts
Wiper Malware can seriously limp organizations and a complete nation when many organizations and critical infrastructure in that nation are hit at once. Fortunately, this has not happened as of yet and there are ways to prevent this, as explained. Still, many organizations don’t have the proper defense in place against these kinds of attacks, and creating awareness with these organizations is extremely important. Fortunately, Cybersecurity awareness is increasing but we are not there yet. From my side, I keep preaching about this and I hope these kinds of posts contribute to this: stay vigilant!
Finally, my thoughts are with the families of all the victims of this war: not one side. There is no right or wrong in my opinion and there are only losers in this conflict. My hope is that somehow, peace will come and that humankind can move from conflict to cooperation. Humankind can achieve unimaginable things by working together. The greatest technological breakthroughs were done by individuals so imagine what humankind can do by full cooperation. In my opinion, full cooperation will exponentially increase our technological progress, while conflicts will only slow it down.
Feel free to contact me if you have any questions or if you have any additional advice/tips about this subject. If you want to keep in the loop if I upload a new post, don’t forget to subscribe to receive a notification by email.
