War, weapons, and wipers
By Max Kersten · March 31, 2022
In the recent weeks, Ukrainian companies have been targeted by wipers, likely created by pro-Russian actors. There has been a lot of talk about a “cyber war” and the usage of “cyber weapons.” Whereas the digital domain is certainly (ab)used, there’s a lot more nuance to it. This blog will go into the impact of wipers, what can be done to prevent such an attack, and how to recover from such an attack.
This blog focuses, and compares, digital aspects to those in the physical life, with regards to digital threats and a potential digital war. The horrendous and inhumane circumstances which many now face in Ukraine are not meant to be marginalised in any way or form. For those willing to help, please donate to known and verified humanitarian organisations.
An interconnected world
The digital domain is part of everybody’s life, be it wanted or unwanted. To add to that, the pandemic has sped up numerous digital integrations into our lives. In short, the world has digitalised even further, and there’s no decline in sight. Our dependency on computers directly shows why a digital attack is a much-covered topic. Attackers can have numerous goals to attack an entity, ranging from monetary gain to state-backed espionage or warfare.
Most digital attacks do not require any physical presence near the target(s), which makes the attack safe to execute, unlike traditional espionage. The attribution of a digital attack is difficult, to say the very least, as an attacker can conceal their identity when having proper operational security. As an example: an attack can come from a Greek server, which is rented using an American credit card on the name of a Singaporean, stolen by a Dutch criminal, which is bought and used by a German hacker. The plethora of different geographic locations requires international collaboration for law enforcement agencies, which can be even harder due to international conflicts.
The increased difficulty of law enforcement collaboration and the continuously interconnected world would seem to make a digital war more likely than ever, but it begs the question if such a statement is true.
Espionage, be it digital or traditional, is of all times. Understanding enemies gives an advantage over your opponents. The digital war, in that sense, has already started decades ago, albeit invisible for the public. The visible digital aspect, generally the havoc caused, is visible for the public in some cases. Two examples which show the near direct impact in the everyday life of people. Firstly, the oil price rose when Colonial Pipeline suffered a digital security incident in May 2021, as reported by NASDAQ. Secondly, due to a digital security incident at Bakker, a Dutch logistics company, caused there to be no cheese in supermarkets for several days in August 2021, aptly dubbed “Cheese hack” by the Dutch media.
A wiper’s impact
Communication is key in nearly all situations. But even more so in wartime, where communication is literally vital to survive. A wiper’s sole purpose, from which its name is derived, is to wipe the device it is executed on, and potentially other connected devices. If the execution is successful, the device is rendered useless. Whether back-ups are available or not, the machines do not function at all. The recovery of a single machine might not take long, but the restoration of a company or government wide attack can take months, with a very high likelihood of data loss, even if back-ups were made.
Just prior to Russia’s invasion into Ukraine, the WhisperGate wipers were used in an attack towards Ukrainian victims. The first wipers deleted files from the machine, and destroyed the master-boot record, which wiped even more files from the disk. In short, the master-boot record is responsible to load the operating system, thus having access to write to every sector of the attached storage disk(s). The wiper’s internals were straightforward, where the master-boot record wiper was not without mistakes, yet it remains effective.
Later, the HermeticWiper was used by a pro-Russian actor to, once again, attack Ukraine based victims. The internals of this sample were much more complex than the above-mentioned WhisperGate wipers. It traversed through the file system’s structure, wiped files, and corrupted the device’s boot record.
Other attacks, such as HermeticRansom, IsaacWiper, or DoubleZero, performed similar activities, and destroy the communication means of the systems they are executed on. The Russian invasion of Ukraine is still on-going, and the wiper attacks have attempted to further destabilise the Ukrainian IT systems. While the attacks may have had some success, the IT infrastructure seems to remain intact enough, and the focus of the war has moved from a digital war towards a ballistic one, as artillery is currently levelling Ukrainian cities and citizens fear for their lives.
The focus of pro-Russian actors can also be diverted from Ukraine towards other countries, such as those who actively protest or work against the Russian invasion, or to those who impose(d) sanctions on Russia. The White House provided a warning to all, with regards to the potential Russian retaliation.
Prevention and mitigation
Telemetry reports from numerous security companies show the attacker’s presence before the execution of the wipers. The deletion, or overwriting, of files is similar to ransomware, in the sense that files and systems are rendered unusable. Updating systems and software will help to both deter and slow attackers down. A segmented network, providing multiple layers of security, with the help of security software will provide the Security Operations Center (SOC) with timely alerts to remediate incidents in a timely manner.
For individual users, please be wary of e-mails which ask for sensitive data, especially if there is a sense of urgency involved. When in doubt, contact your internal security team for their expertise.
If an infection does take place, the affected systems need to be restored to a recent back-up. The attacker’s entry point needs to be localised and removed, thus ensuring the attacker cannot repeat the same steps to re-infect the machine(s).
Sep 28, 2022
Trellix Empowers Next Generation of Cybersecurity Talent at Xpand Live
Sep 28, 2022
Trellix Accelerates Channel Success Through Unified Partner Program and Expanded Security Innovation Alliance
Sep 28, 2022
Trellix Expands XDR Platform to Transform Security Operations
Sep 26, 2022
60% of Cybersecurity Professionals Feel They Are Losing Ground Against Cybercriminals
Sep 21, 2022
Trellix Launches Advanced Research Center, Finds Estimated 350K Open-Source Projects at Risk to Supply Chain Vulnerability
By Britt Norwood · August 30, 2022
Our team understands the critical role organizations like AWS play in efforts to drive premium threat detection no matter a customer’s security architecture. We continuously look for partners with a similar desire to grow and innovate to relieve pain points for SecOps teams.
This blog is the third and final of a multi-part series focused on vulnerability discovery in a widely used access control system and describes our research journey from target acquisition all the way through exploitation, beginning with the vendor and product selection and a deep dive into the hardware hacking techniques.
Get the latest
We’re no strangers to cybersecurity. But we are a new company.
Stay up to date as we evolve.