Start your day with intelligence. Get The OODA Daily Pulse.

The Ukraine conflict has unleashed wiper malware variants that are being used against both Ukraine and Russia.  The onset of the crisis saw the deployment of a series of wiper attacks of varying levels of intensity and destruction starting in January 2022 and continuing to the present. WhisperGate, HermeticWiper, IsaacWiper, and CaddyWiper, among others, have been executed against Ukraine, while CryWiper has targeted Russian organizations.  While none of these attacks have proven instrumental in gaining any particular advantage for either side, the range of effects include but are not limited to destroying data and partition information, triggering boot failures, and overwriting data in disk drives.  What’s clear is that wipers are becoming popular cyber attack tools when the actor’s intent is to destroy or at least seriously disrupt the functionality of exploited networks.  As concern over critical infrastructure security looms over network defenders, the potential threat of a wiper malware attack against these systems is daunting.

Wiper malware is not new, though it certainly seems to be the weapon of the moment.  One of the first notable wiper malware attacks linked to state actors occurred in 2012, when suspected Iranian actors deployed the Shamoon wiper against Saudi Aramco and RasGas, wiping the data from at least 35,0000 systems.  Since that watershed moment, other state actors entered the fray using wipers in attacks to hurt a target or at least send a message to government.  2013 saw the North Korea orchestrated DarkSeoul target South Korean media and financial organizations; 2017 witnessed Russia’s NotPetya emerge against Ukrainian organizations before spreading globally; and 2018 Russian-executed OlympicDestroyer against Winter Olympics entities in South Korea.  This is not a comprehensive list by any means, but just shows how such a weapon has become a go-to tool for states leading up to the present day, whether they be disguised in other assaults like ransomware, or just a straightforward attack.

The ongoing cyber hostilities caused by the Ukraine conflict has brought a lot of attention to the use of wipers.  This is disconcerting as evidence suggests that this interest may be bleeding into the cybercrime community as well.  According to a First Half of 2022 report by a cybersecurity company, ransomware, infostealers, and wipers were on the forefront of criminal attention. In 2019, attackers deployed Ordinypt (or GermanWiper) against German organizations looking to make a profit from these victims.  However, while the malware masqueraded as ransomware, it actually rewrote content and destroyed user data instead of encrypting it.  The aforementioned CryWiper continues this vein of attack, looking to conceal the malware’s true purpose under the guise of ransomware.

Looking forward, wiper malware may become a more popular option for hostile actors in 2023, and this may prompt an increase in the deployment of this malware against mobile devices. This is worrisome, especially as ransomware operators have proven innovative, persistent, and cagey, looking to stay one step ahead of defenders’ abilities to identify, mitigate, and remediate this extortion.  As organizations become used to double extortion methods employed by ransomware gangs, these groups have resorted to upping their games by finding ways to compel payment.  Now, most gangs employ a dual-extortion tactic that involves not only encrypting victimized data, but threatening to sell it or expose it.  Some gangs have even resorted to threatening to employ distributed denial-of-service (DDoS) attacks to further coerce victim payment of ransoms.  Encrypting data is no longer enough to convince victims into paying the criminals. As wiper malware becomes more of a commodity, ransomware gangs may see the utility of implementing wiper malware to maximize their cyber extortion operations.

One area that may become a hot target for hostile actors is mobile devices and smartphones.  Approximately, 83% of the global population use smart phones as their primary computing means, using the technology to make phone calls, engage in financial-related activities, text, send and read email messages, access social media, play games, and use a variety of applications. Moreover, a recent statistic revealed that 75% of U.S. employees use their personal smartphones for work-related activities, making these endpoints potential entryways into professional networks.  This includes using company sanctioned apps for communication and data storage, making these devices potentially attractive targets for disruptive and destructive attacks for extortion or punishment. Given that data leakage, unsecure WiFi, and phishing/smishing are among the top threats against smartphones, it is easy to see how wiper malware can be deployed against these devices with success.  Recently, a researcher found a way to exploit the data detection capabilities of endpoint detection and antivirus software and turn them into data wipers.  This is a further sobering discovery as the exploit deceived many of the top products in the security industry.

It is likely that states and state proxies will continue to deploy wipers during periods of geopolitical conflict in 2023.  However, some of the savvier cybercriminals may seek to leverage the malware to support financially motivated attacks, as well.  Given the potential permanent destruction wipers cause, cyber extortionists may turn to this tool to further strong-arm victims.  If encrypting valuable data and threatening to expose it publicly has been effective in eliciting ransom payments, threat of wiper deployment ratchets up the pressure exponentially.  Moreover, should cybercriminals increase the use of wiper malware, the cybercrime underground ecosystem will likely respond in kind, developing wiper-as-a-service criminal offerings to fill a void niche.

The Ukraine crisis has shown that organizations need to start thinking of wiper attacks in the same way as ransomware attacks, preparing and testing disaster recovery plans in the event they are compromised.  Remediating wiper attacks will prove extremely difficult if not impossible due to the immediate damage caused when the malware is deployed.  In February 2022, the Department of Homeland Security issued an alert concerning the use of wipers surrounding Ukraine and advising all organizations to evaluate “their capabilities encompassing planning, preparation, detection, and response for such an event.”  This guidance extends beyond the conflict and must now be incorporated into every organization’s cyber resilience strategy.  The wiper threat has left the barn, and there is no closing that door now.

Related Reading:

Explore OODA Research and Analysis

Use OODA Loop to improve your decision making in any competitive endeavor. Explore OODA Loop

Decision Intelligence

The greatest determinant of your success will be the quality of your decisions. We examine frameworks for understanding and reducing risk while enabling opportunities. Topics include Black Swans, Gray Rhinos, Foresight, Strategy, Stratigames, Business Intelligence and Intelligent Enterprises. Leadership in the modern age is also a key topic in this domain. Explore Decision Intelligence

Disruptive/Exponential Technology

We track the rapidly changing world of technology with a focus on what leaders need to know to improve decision-making. The future of tech is being created now and we provide insights that enable optimized action based on the future of tech. We provide deep insights into Artificial Intelligence, Machine Learning, Cloud Computing, Quantum Computing, Security Technology, Space Technology. Explore Disruptive/Exponential Tech

Security and Resiliency

Security and resiliency topics include geopolitical and cyber risk, cyber conflict, cyber diplomacy, cybersecurity, nation state conflict, non-nation state conflict, global health, international crime, supply chain and terrorism. Explore Security and Resiliency

Community

The OODA community includes a broad group of decision-makers, analysts, entrepreneurs, government leaders and tech creators. Interact with and learn from your peers via online monthly meetings, OODA Salons, the OODAcast, in-person conferences and an online forum. For the most sensitive discussions interact with executive leaders via a closed Wickr channel. The community also has access to a member only video library. Explore The OODA Community

Tagged: Cybersecurity
Emilio Iasiello

About the Author

Emilio Iasiello

Emilio Iasiello has nearly 20 years’ experience as a strategic cyber intelligence analyst, supporting US government civilian and military intelligence organizations, as well as the private sector. He has delivered cyber threat presentations to domestic and international audiences and has published extensively in such peer-reviewed journals as Parameters, Journal of Strategic Security, the Georgetown Journal of International Affairs, and the Cyber Defense Review, among others. All comments and opinions expressed are solely his own.