Wiper malware — so called because it erases data from victims’ computer drives — played a key part in the costly cybersecurity breach directed against Sony Pictures Entertainment in late 2014. It is also a demonstration of the murky netherworld in which the distinctions among cyberwar, cyberterrorism and cybercrime can be difficult to draw.

The use of this type of malware so far has been largely associated with politically motivated hacktivists, while some of the victims have been potential targets of intelligence activity directed at or supported by nation-state intelligence organizations.

Patterns of Attack

As David McMillen reports in an IBM MSS research paper, “Wiper Malware Analysis,” such malware has been associated with attacks going back to 2008. At that time, a malware called Narilam was deployed specifically against financial and business software packages that are primarily used in Iran.

In 2009 and 2010, another pair of packages including Wiper malware, Dozer and Koredos were deployed against victims in South Korea. In 2012, a Wiper package called Shamoon was used to cripple 30,000 computers at Saudi Aramco, while a different package, called GrooveMonitor/Maya, was reported in Iran. In 2013, a package called Dark Seoul was deployed against victims in South Korea.

The most recent attack against Sony, which has been associated with North Korea, employed a Wiper software dubbed Destover.

Holding Data Hostage

The sophistication of the attack and the scope of the damage done vary widely among these Wiper malware variants. Some launch a one-time attack on a specific date and erase hard drives, while others gradually corrupt disks over a long period, during which interval they communicate with a remote command-and-control center.

It has been challenging to analyze the Wiper malware because the data erasure commanded by the malware includes eliminating the object image of the malware itself.

Because Wiper destroys data instead of stealing it, its use so far has been primarily associated with politically motivated attacks, whether launched by freelancing ideological hacktivists or by state intelligence operatives. However, attackers can also use the threat of data erasure or exposure as a means of extortion. The scope of the Wiper malware threat may thus extend from intelligence-related activity to cybercrime motivated by a hope of financial gain.

Defending Against Wiper Malware Attacks

Wiper malware can be extremely destructive, as its role in the Sony attack has already demonstrated. As such, purely defensive tactics are insufficient.

Firms and other organizations must take proactive security steps to minimize the risks from the Wiper malware. Crucial intellectual property should be isolated in hardened systems that can be accessed only through privileged connections. Important data should be backed up off-site, and organizations must institute and test an emergency response and recovery plan.

These measures will not provide immunity, but they will make firms better prepared to respond to the threat of Wiper malware.

More from Malware

Ransomware Renaissance 2023: The Definitive Guide to Stay Safer

2 min read - Ransomware is experiencing a renaissance in 2023, with some cybersecurity firms reporting over 400 attacks in the month of March alone. And it shouldn’t be a surprise: the 2023 X-Force Threat Intelligence Index found backdoor deployments — malware providing remote access — as the top attacker action in 2022, and aptly predicted 2022’s backdoor failures would become 2023’s ransomware crisis. Compounding the problem is the industrialization of the cybercrime ecosystem, enabling adversaries to complete more attacks, faster. Over the last…

2 min read

BlackCat (ALPHV) Ransomware Levels Up for Stealth, Speed and Exfiltration

9 min read - This blog was made possible through contributions from Kat Metrick, Kevin Henson, Agnes Ramos-Beauchamp, Thanassis Diogos, Diego Matos Martins and Joseph Spero. BlackCat ransomware, which was among the top ransomware families observed by IBM Security X-Force in 2022, according to the 2023 X-Force Threat Intelligence Index, continues to wreak havoc across organizations globally this year. BlackCat (a.k.a. ALPHV) ransomware affiliates' more recent attacks include targeting organizations in the healthcare, government, education, manufacturing and hospitality sectors. Reportedly, several of these incidents resulted…

9 min read

Ex-Conti and FIN7 Actors Collaborate with New Backdoor

15 min read -   April 27, 2023 Update This article is being republished with modifications from the original that was published on April 14, 2023, to change the name of the family of malware from Domino to Minodo. This is being done to avoid any possible confusion with the HCL Domino brand. The family of malware that is described in this article is unrelated to, does not impact, nor uses HCL Domino or any of its components in any way. The malware is…

15 min read

When the Absence of Noise Becomes Signal: Defensive Considerations for Lazarus FudModule

7 min read - In February 2023, X-Force posted a blog entitled “Direct Kernel Object Manipulation (DKOM) Attacks on ETW Providers” that details the capabilities of a sample attributed to the Lazarus group leveraged to impair visibility of the malware’s operations. This blog will not rehash analysis of the Lazarus malware sample or Event Tracing for Windows (ETW) as that has been previously covered in the X-Force blog post. This blog will focus on highlighting the opportunities for detection of the FudModule within the…

7 min read