“Malware wiper new serious threat to computer systems”

Wiper-class malware is the new serious threat to the cyber security of companies and administrations around the world. Designed to erase the data on infected computer systems with irreparable damage to corporate activities and public institutions, these cyberattack tools are at the center of the new Swascan report (Tinexta Group) just published under the patronage of Assintel and Ecso – European Cyber ​​Security Organization.

From the devastating NotPetya, used since 2017 targeting organizations in different sectors in more than 65 countries with damages of more than 10 billion dollars worldwide, to the more recent and lethal AcidRain, WhisperKill and IsaacWiper, developed and used during the conflict Russian-Ukrainian to put Kiev’s digital infrastructure out of order, there are about fifteen wipers examined in this detailed technical analysis, which reveals the dangers of these tools of real cyber warfare through the punctual and precise examination of their functioning.

“The ancestor of what we know today as a wiper was allegedly used in 2012 in a series of attacks against Iranian companies. But the first real malware with wiper capabilities was Shamoon, active between 2012 and 2016. One of the most widespread attacks, however, dates back to June 2017 with the infamous wave of NotPetya infections”. But the decisive increase in these lethal attacks occurred with the Russian-Ukrainian conflict. “Several organizations and critical infrastructures in Ukraine – the report reads – have been affected by this wave of NotPetya, including the radiation monitoring systems of the Chernobyl nuclear power plant. In particular, on February 24, 2022, the wiper virus called AcidRain was used in a cyber attack against Viasat’s satellite Internet service, which affected several countries, including Italy.

“SwiftSlicer, discovered by Fortinet researchers on January 25, 2023 – Swascan’s analysis continues – was used to conduct a cyber attack on Ukrainian infrastructure. This virus does not aim for ransom or monetization, only data destruction and sabotage of computer systems. The day before the invasion of Ukraine by Russian forces, on February 24, 2022, a new wiper unleashed against a number of Ukrainian entities, known as the “HermeticWiper”, was discovered, based on a digital certificate stolen from a company called Hermetica Digital Ltd”.

The report presents in an effective summary table the details of the 13 most well-known wipers currently in use: Shamoon, the first to be used in 2012 to attack the oil companies Saudi Aramaco and RasGas; North Korea’s Dark Seoul, which rendered some 30,000 computers unusable in South Korea’s media and financial services industries; the aforementioned Russian NotPetya; the North Korean Olympic Destroyer, aimed at disrupting the cyber services of the 2018 Winter Olympics in South Korea; Ordinypt/GermanWIper, which targeted German organizations in 2019; Iranian Dustman, who attacked Bahrain’s national oil company in 2019; ZeroCleare, which targeted energy companies in the Middle East in 2020; the Russian WhisperKill, WhisperGate, HermeticWiper, IsaacWiper, CaddyWiper, DoupleZero and AcidRain which in various phases in 2022 have affected Ukrainian institutions and companies.

The survey identifies three main “use cases” for the use of wipers: espionage, sabotage and diversion. Espionage mode involves using wipers to steal sensitive or secret information from an infected computer system. In this case, the attackers use the malware to eliminate traces of their access to the organization’s systems, preventing investigators from finding out how the attack was carried out and what data was stolen. Its use for false flag attacks should not be ruled out either. In this case, an actor could use a malware wiper to conduct an attack and pretend it was perpetrated by another actor.

Sabotage mode involves using wipers to destroy or damage a country’s or an organization’s IT infrastructure. In this case, the attackers use the malware to erase or damage critical data or IT infrastructure, causing severe damage to the affected organization or country. Finally, the diversion mode involves the use of wipers to mask other cyber attacks or to mislead investigators. In this case, the attackers use the malware to eliminate traces of their true targets and their activities, tricking investigators into following false leads and preventing them from discovering the real attack.

“Most of the wiper malware seen in the first half of 2022 – declares the CEO of Swascan, Pierguido Iezzi – was distributed against Ukrainian organizations. The growth of wiper malware during a conflict is no surprise. It is difficult to monetize, so the focus is on destruction, sabotage and cyber warfare. Rather than being used in isolation, a wiper is often used in the context of a larger attack. Wipers have become global in scope and a staple in the arsenal of APT groups, signaling a shift in the way states operate and conduct cyber operations.”

“But not only that, we could soon see their use by hacktivist groups as well, in lieu of armed wing of much ‘heavier’ actors on the international level. In fact, the involvement of states in the promotion or support cannot be excluded of hacktivist groups. These could exploit hacktivist groups as a foreign policy tool (a new form of sharp power), providing them with logistical, financial or technical support to carry out wiper attacks against adversaries or targets of strategic interest – concluded Iezzi -Un convergence of scenarios in which this tool could potentially become even more destructive than the digital weapons already employed by the actors now active on the international geopolitical stage. Possible developments that must be closely monitored in order to be able to anticipate possible disastrous consequences in the event of an attack”.