War, weapons, and wipers

By Max Kersten · March 31, 2022

In the recent weeks, Ukrainian companies have been targeted by wipers, likely created by pro-Russian actors. There has been a lot of talk about a “cyber war” and the usage of “cyber weapons.” Whereas the digital domain is certainly (ab)used, there’s a lot more nuance to it. This blog will go into the impact of wipers, what can be done to prevent such an attack, and how to recover from such an attack.

This blog focuses, and compares, digital aspects to those in the physical life, with regards to digital threats and a potential digital war. The horrendous and inhumane circumstances which many now face in Ukraine are not meant to be marginalised in any way or form. For those willing to help, please donate to known and verified humanitarian organisations.

An interconnected world

The digital domain is part of everybody’s life, be it wanted or unwanted. To add to that, the pandemic has sped up numerous digital integrations into our lives. In short, the world has digitalised even further, and there’s no decline in sight. Our dependency on computers directly shows why a digital attack is a much-covered topic. Attackers can have numerous goals to attack an entity, ranging from monetary gain to state-backed espionage or warfare.

Most digital attacks do not require any physical presence near the target(s), which makes the attack safe to execute, unlike traditional espionage. The attribution of a digital attack is difficult, to say the very least, as an attacker can conceal their identity when having proper operational security. As an example: an attack can come from a Greek server, which is rented using an American credit card on the name of a Singaporean, stolen by a Dutch criminal, which is bought and used by a German hacker. The plethora of different geographic locations requires international collaboration for law enforcement agencies, which can be even harder due to international conflicts.

Digital war

The increased difficulty of law enforcement collaboration and the continuously interconnected world would seem to make a digital war more likely than ever, but it begs the question if such a statement is true.

Espionage, be it digital or traditional, is of all times. Understanding enemies gives an advantage over your opponents. The digital war, in that sense, has already started decades ago, albeit invisible for the public. The visible digital aspect, generally the havoc caused, is visible for the public in some cases. Two examples which show the near direct impact in the everyday life of people. Firstly, the oil price rose when Colonial Pipeline suffered a digital security incident in May 2021, as reported by NASDAQ. Secondly, due to a digital security incident at Bakker, a Dutch logistics company, caused there to be no cheese in supermarkets for several days in August 2021, aptly dubbed “Cheese hack” by the Dutch media.

A wiper’s impact

Communication is key in nearly all situations. But even more so in wartime, where communication is literally vital to survive. A wiper’s sole purpose, from which its name is derived, is to wipe the device it is executed on, and potentially other connected devices. If the execution is successful, the device is rendered useless. Whether back-ups are available or not, the machines do not function at all. The recovery of a single machine might not take long, but the restoration of a company or government wide attack can take months, with a very high likelihood of data loss, even if back-ups were made.

Just prior to Russia’s invasion into Ukraine, the WhisperGate wipers were used in an attack towards Ukrainian victims. The first wipers deleted files from the machine, and destroyed the master-boot record, which wiped even more files from the disk. In short, the master-boot record is responsible to load the operating system, thus having access to write to every sector of the attached storage disk(s). The wiper’s internals were straightforward, where the master-boot record wiper was not without mistakes, yet it remains effective.

Later, the HermeticWiper was used by a pro-Russian actor to, once again, attack Ukraine based victims. The internals of this sample were much more complex than the above-mentioned WhisperGate wipers. It traversed through the file system’s structure, wiped files, and corrupted the device’s boot record.

Other attacks, such as HermeticRansom, IsaacWiper, or DoubleZero, performed similar activities, and destroy the communication means of the systems they are executed on. The Russian invasion of Ukraine is still on-going, and the wiper attacks have attempted to further destabilise the Ukrainian IT systems. While the attacks may have had some success, the IT infrastructure seems to remain intact enough, and the focus of the war has moved from a digital war towards a ballistic one, as artillery is currently levelling Ukrainian cities and citizens fear for their lives.

The focus of pro-Russian actors can also be diverted from Ukraine towards other countries, such as those who actively protest or work against the Russian invasion, or to those who impose(d) sanctions on Russia. The White House provided a warning to all, with regards to the potential Russian retaliation.

Prevention and mitigation

Telemetry reports from numerous security companies show the attacker’s presence before the execution of the wipers. The deletion, or overwriting, of files is similar to ransomware, in the sense that files and systems are rendered unusable. Updating systems and software will help to both deter and slow attackers down. A segmented network, providing multiple layers of security, with the help of security software will provide the Security Operations Center (SOC) with timely alerts to remediate incidents in a timely manner.

For individual users, please be wary of e-mails which ask for sensitive data, especially if there is a sense of urgency involved. When in doubt, contact your internal security team for their expertise.

If an infection does take place, the affected systems need to be restored to a recent back-up. The attacker’s entry point needs to be localised and removed, thus ensuring the attacker cannot repeat the same steps to re-infect the machine(s).