Wiper Malware: Purposes, MITRE Techniques, and Attacker's Trade-Offs

Following recent events in Ukraine, various cybersecurity agencies such as CISA or BSI have warned of potential data wiping attacks spillover to organisations in other countries. While destructive malware such as wipers are still rare and more targeted compared to malware focused on espionage and financial gains, there are reasons for believing that this wipers will become more prevalent:
The recent incidents in and related to Ukraine, and possible future deployments of wipers, prompted me to take a look at them: I first discuss different purposes and types of wipers. I then describe the techniques leveraged by wipers using MITRE ATT&CK. To get a better overview of where and how wipers have been deployed in the past, I have created a timeline of the most significant, publicly known wipers. Lastly, I take a look at risks and trade-offs attackers take into account when deploying wipers.

Wipers may serve various purposes

A wiper is a malware class developed to irrecoverably destroy data on the target system and/or affect its ability of the target system to boot successfully. The wiping functionality can be triggered by the attacker or when specific time- or event-based conditions are met (i.e., logic bombs). Wipers belong to the group of destructive cyber capabilities that include BGP manipulations, DDoS, supply chain sabotage, cyber-kinetic weapons (e.g., Stuxnet), signal jamming (e.g., SpaceX’s Starlink), disabling services (e.g., KA-SAT SATCOM terminals), and defacements, among others. While all wipers are intended to destroy data in some form, the attackers deploying them may have different purposes in mind, which helps to classify them: 
  • Sabotage: Inflicting as much damage as possible to disrupt operations and to cause financial/reputational loss as observed with Shamoon2 in 2016 or NotPetya in 2017.
  • Psychological warfare: Wipers that cripple infrastructure help attackers to erode trust of the victim population in their governments and to induce fear and panic. 
  • Distraction: Using wipers as a distraction to gain the attention of IT and security teams helps attackers to pursue their actual goals without as was observed with North Korean hackers who deployed wipers on Banco de Chile to distract from SWIFT heist.
  • Cover-up of espionage or other hacking operations: Some espionage toolkits such as Flame included a wiper component that helps to prevent successful forensics by making sure that no traces of the infection were left on the infected machines. In some cases, covering up traces is a by-product of deploying the wiper. 
Overall, it is fair to say that sabotage has been the most dominant purpose seen in the wild. However, in general, it is conceivable that attackers attempt to fulfil multiple purposes simultaneously, or to confuse analysts by setting false flags.

Pure and multi-functional wipers

With pure wipers, wiping is the single functionality of the malware. Multifunctional wipers, in turn, are designed to perform multiple tasks for attackers (e.g., espionage), including wiping (e.g., BlackEnergy's KillDisk component). Knowledge of those functionalities combined with available indicators (e.g., system logs, memory dumps, or network traffic) can help to determine the scope and nature of the attacker’s activities in the target network in case of a successful attack. In some cases, trade-offs may need to be made between recovering valuable data (i.e., plug out machines) and gaining insight into the attack (i.e., rescuing logs and other artefacts).

How do wipers work?

To wreak as much havoc as possible, wipers target various features of the disk and the Windows file system. The core attack vectors are files, boot section, and backups. Depending on how one looks at it, there are six at least high-level techniques with most wipers leveraging multiple of them at the same time:

1. Overwriting of files (i.e., Data Destruction: T1485)

Overwriting files on local and remote drives is likely to render stored data irrecoverable. Common deletion commands like del and rm usually only remove file pointers without actually destroying the contents. Files are either overwritten with randomly generated data (e.g., Shamoon1) or in some cases with politically loaded image files (e.g., Shamoon2). Since destroying each file individually is too time-consuming some optimisation strategies came up:
  • Wiping only specific file types based on file extensions (e.g., .docx, .doc, .pdf, .xls)
  • Wiping only files in specific folders (e.g., outside of Windows directory)
  • Rewriting a certain amount of bytes at the beginning of each file to destroy the headers to make them unusable
  • If the amount of bytes exceeds the actual file size, files are wiped completely

2. Keyless encryption of files (i.e., Data Encrypted for Impact: T1486)

Attackers may also render stored data irrecoverable by encrypting files using “keyless encryption” techniques. This means, there is no decryption key for reversing the encryption. The optimisation strategies of technique 1 apply too. 

What is most striking about technique 1 and 2 is that it shows how financially motivated groups such as ransomware gangs and nation-state actors evolve their techniques to achieve their respective goals and learn from each other. This sometimes goes so far that nation-state actors even masquerade their disruptive attacks as ransomware (e.g., Apostle), which allows for plausible deniability. This is not to be confused with wipers that display ransom notes without being ransomware, so-called pseudo-ransomware (e.g., WhisperGate). 

3. Destruction of Master File Table

One key component of the file system (NTFS) is the Master File Table (MFT). For every single file, it keeps record of all information describing the file such as access permission, disk location, creation date, and additional metadata. By destroying or encrypting the MFT, wipers effectively render files stored on disk irrecoverable since NTFS will be unable to reconstruct them from the disk (e.g., NotPetya). One reason for that is non-contiguous file allocation. 

4. Destruction of portions of disk content (i.e., Disk Content Wipe: T1561.001)

Instead of wiping specific files, attackers may wipe arbitrary portions of disk content, rendering them irrecoverable through the storage interface. This may require direct access to the hard drive through third-parties drivers such as RawDisk (e.g., WhisperAlpha). For optimisation reasons, attackers may overwrite a certain amount of bytes in a pattern (e.g., the first 100 KB of every 5 MB), resulting in random file destruction without any predictable pattern and making recovery impossible. 

5. Destruction of disk's logical structure (i.e., Disk Structure Wipe: T1561.002)

Attackers may render the target system un-bootable by overwriting data located in structures such as the Master Boot Record (MBR) or partition table. Under normal conditions, the BIOS loads the MBR which looks at the partition table to find the first active primary partition, which then opens that partition's boot sector in order to execute the boot loader code, which in turn loads the primary operating system (more details). If the disk’s logical structure has been destroyed, the system will not be able load the operating system during the boot process and becomes unusable.

6. Destruction of backups (i.e., Inhibit System Recovery: T1490, Service Stop: T1489)

Wipers usually delete all volume shadow copies (Windows feature creating backups for files)  to ensure that destroyed files can not be restored. In addition, they often destroy the Windows Recovery Console (supposed to assist restoring Windows in case of booting problems) by using operating system command-line utilities (e.g., HermeticWiper). 

I only highlighted techniques used from MITRE ATT&CK’s Impact tactic. To get a full picture of how wipers operate, it is key to also analyse their implementations of other tactics such as Evasion or Lateral Movement. 

Significant wiper incidents over time

It is unclear when the first wiper appeared, but some argue that CHI in 1998 was the first instance of what would now be called a wiper. To get an overview of the most significant destructive operations and put them into a temporal and geographical context, I created a timeline, which shows the geopolitical significance of many wipers (e.g., Russia vs. Ukraine, North Korea vs. South Korea, etc.). The wipers primarily observed in Ukraine are marked accordingly:


For more context on the wipers from the timeline, check out the appendix of this blog post.

Risks and trade-offs for attackers

While it is hard to say how effective wipers have been in the past (mostly, because successful operations might have been kept secret, and because we do not know what would have been without using them), attackers deploying wipers face various risks and trade-offs: 
  • Spillovers and collateral damage: There is a risk for unintentional spillovers and collateral damage, particularly in cases where the wiper payload is spread as a virus. The wiper might then not only affect organisation in countries other than the victim country, but also organisations within the country of the attacker itself (e.g., Russian state-owned company Rosneft was severely hit by NotPetya in 2017). However, such collateral damage may also create a smokescreen of plausible deniability. 
  • Disruption of intelligence gathering operations: Deploying wipers runs counter to conventional interests of nation state actors that include covert and persistent intelligence gathering. Once a relevant system is shut down, intelligence gathering, which has a particularly high priority during conflict, is impaired or becomes even impossible on that system. Hence, there is a trade off between destroying a system and maintaining access to potentially valuable information. 
  • Reliance on victim’s infrastructure: It is possible that attackers rely on the same infrastructure or systems as their victims. For example, in the context of the Russian invasion in Ukraine, it is possible that the Russians themselves needed a functioning telecommunications system, including high-speed data links, for their own communications. While modern military equipment has sophisticated radios in place, mishaps might have forced the military to rely on Internet-based systems.
  • Effectiveness and ease of deployment: Deploying wipers (or conducting any other cyberattack) requires time, skills, and luck. Therefore, it is often impossible to just launch cyber strikes and automatically expect results of strategic relevance.
In a nutshell, attackers need to carefully weigh pros and cons of wipers before deploying them. Other destructive cyber capabilities such as DDoS, signal jamming, or targeted tampering with configurations (which often go hand in hand with wiper operations anyways) might serve the intended purposes as well.

Conclusion and future risk

In the blog post, I tried to give an overview of the different purposes and types of wipers, how their wiping functionality works, and where and how they have been used in the past. At the end, I discussed various risks and trade-offs considered by attackers before deploying wipers. There are two questions that still need to be addressed: what is the risk for organisations outside of the current battlefield, and what can be done about it? 

While some analysts have argued that the cyberwar has not unfolded as many expected and only represented a continuation of the long-standing cyber harassment of Ukraine focused on trust erosion and confusion, there is a high risk for spillovers and real destruction as assessed by various cybersecurity agencies. One key aspect here is that financially motivated groups serving as proxies might not only be tolerated by the Russian administration as seen in the past, but may also be actively encouraged to wreak havoc on the West. Incidents such as Colonial Pipeline demonstrate potential impact. 

So, what can be done about it? The usual recommendations apply such as focusing on infection chains, closing visibility gaps, minimising the attack surface, generating backups, hardening systems to the highest standards, segmenting networks, having BCDR plans in place, conducting real-life security assessment (e.g., red team exercises), and monitoring the overall threat landscape. The good news (at least for organisations with ransomware preventive measures in place) is that most of these ransomware precautions apply or can be adapted to account for wipers too. Some good first steps can be found on CISA’s recent advisory on destructive malware.

Appendix

1998: CHI (1, 2): Capable of wiping BIOS flash memory (particularly destructive to laptops) and believed to have infected more than 50 million systems around the world.

2008: Narilam (1): Affected databases for software mainly used in Iran and designed for long-term sabotage by destroying data in a subtle way.

2012: “Wiper” (1): Affected computer systems located in Iran but potentially also other countries. There is no "Wiper" sample available due to sophistication (i.e., all data wiped). Investigations around "Wiper" led to discovery of Flame.

2012: Shamoon1 (1, 2): Destroyed hard drives of ~30,000 workstations at Saudi Aramco.

2012: Groovemonitor / Maya (1, 2): Simplistic wiper, triggered on hard-coded dates, affecting computer systems in Iran making loss of files look like software or hardware failure.

2013: Jokra (1, 2): Affected various South Korean banks and television broadcasters as part of DarkSeoul operation. Operation included DDoS and defacement attacks against telecom and government sectors. Commonly attributed to North Korea's Lazarus Group.

2014: Destover (1, 2, 3): Targeted Sony Pictures Entertainment for not withdrawing the comedy "The Interview". Attack included takeover of Sony-related Twitter accounts, stealing of sensitive data, and leaks. Commonly attributed to North Korea's Lazarus Group

2014: DestFallen (1, 2): Overwrites MBR and first 1KB of some files, and displays “Who Am I?”  when rebooted. Some advanced file recovery tools may recover certain files.

2015: KillDisk/BlackEnergy (1, 2, 3): Caused hours-long outages in two Ukrainian power facilities in December leaving many without electricity. BlackEnergy backdoor was used to plant the KillDisk component onto the targeted computers. Commonly attributed to Russian GRU's Sandworm.

2016: Shamoon2 (1): Targeted various organisations in different sectors in Saudi Arabia and is reemerged version of Shamoon1 with some changes in functionality. Used photo Alan Kurdi, the three year-old Syrian refugee who drowned in the sea instead of burning US flag.

2016: StoneDrill (1): Affected mostly organisations in Saudi Arabia and one located in Europe. Similar to Shamoon in style but better evasion techniques, and discovered during analysis of Shamoon2.  

2017: NotPetya (1, 2): Pseudo-ransomware affected tens of thousands of systems globally via ETERNALBLUE, mostly in Ukraine. Attack originated from an update of a Ukrainian tax accounting package called MeDoc. Commonly attributed to Russian GRU's Sandworm.

2018: Olympic Destroyer (1): Targeted Olympics in South Korea and temporarily paralysed IT systems ahead of opening ceremonies. Led to shutdown of display monitors, Wi-Fi, and Olympics website, disrupting ticket printing functionality. Co-occurrence of disparate code overlaps in the malware may be indicative of a false flag operation. There are similarities to Lazarus Group's LimaCharlie malware loaders, widely believed to be North Korean actors.

2019: Holiday Wiper (1): Targeted organisations in South Korea and exploited Lunar New Year season for social engineering. South Korean medical website used as C2 to download disguised Korean security program. Believed to be an operation by North Korean Group 123 (aka Ricochet Chollima).

2019: DEADWOOD (1, 2): Used against specific targets in Saudi Arabia. Microsoft analysts attributed the attack to Iran’s highly-active APT33.

2019: ZeroCleare (1, 2, 3): Attacked organisations in energy and industrial sectors in countries in Persian Gulf seen as rivals by Iran. Shows some similarities to Shamoon (e.g., using legitimate EldoS RawDisk software driver to gain direct disk access) and is likely collaboration between Iranian state-sponsored groups including OilRig/APT34.

2019: GermanWiper (1): Pseudo-ransomware targeting only German-speaking victims. Operators still known, but distribution method (fake BSI email) resembles Sodinokibi ransomware.

2021: Apostle (1, 2, 3): Initially deployed in an attempt to wipe data but failed to do so, likely because of a logic flaw in its code. Operators (likely ties to Iranian government, dubbed Agrius) then fell back on DEADWOOD used in 2019. Bug in Apostel was fixed in later version and the malware gained full-fledged ransomware behaviours. Disguising itself as ransomware, Apostle was then used to attack Israeli targets.

2021: Meteor (1): Caused extreme disruptions and chaos for Iran's train services.

2022: WhisperGate (1): Targeted multiple industries in Ukraine, including government, non-profit, and IT organisations. Attacks took place shortly after Ukrainian government website defacements and just before Russian invasion of Ukraine.

2022: HermeticWiper (1, 2, 3, 4, 5): Targeted finance and government contractor organisations in Ukraine, Latvia, and Lithuania. Attacks took place hours before the start of Russian invasion of Ukraine. Malware artefacts suggest that the attacks had been planned for several months.

2022: PartyTicket (1): Unlikely to be a true ransomware campaign conducted for financial gain. More likely pseudo-ransomware aiming at disruption and data destruction.

2022: IsaacWiper (1, 2): Second destructive attack against a Ukrainian governmental network started on February 24 (start of invasion). HermeticWiper and IsaacWiper were not used on the same targets, nor do they seem to share code.

2022: RURansom (1): Pseudo-ransomware attempting to infect Russian targets as part of the war in Ukraine (no confirmed targets). Creator of RU_Ransom states in code that their motive is to harm Russia.

2022: CaddyWiper (1): Third destructive wiper deployed in Ukraine since the start of the Russian invasion. CaddyWiper does not share any significant code similarity with HermeticWiper, IsaacWiper, or any other widely known malware. Interestingly, CaddyWiper avoids destroying data on domain controllers implying that attackers want to keep their access inside the organisation.

Popular posts from this blog

The Rise of LNK Files (T1547.009) and Ways To Detect Them

Threat Hunting as a Proactive Security Measure in the Energy Sector