The increased use of disk wipers in cyberattacks that began with Russia's invasion of Ukraine early last year has continued unabated, and the malware has transformed into a potent threat for organizations in the region and elsewhere.
Researchers at Fortinet recently analyzed attack data from the second half of 2022 and observed a startling 53% increase in threat actor use of disk wipers between the third and fourth quarters of the year. The trajectory suggests there will be no slowing down any time soon, the security vendor said.
Russia-based advanced persistent threat (APT) groups — working in support of the country's military objectives in Ukraine — accounted for a lot of the initial surge in wiper use and continued activity last year. However, Fortinet's data shows that others, including financially motivated cybercriminals, hacktivist groups, and other individuals fueled the increase as well, especially toward the end of 2022.
Leading up to last year, wiper activity tended to be almost nonexistent, according to Geri Revay, security researcher with Fortinet's FortiGuard Labs. But since the conflict between Russia and Ukraine started, threat actor use of the malware has exploded, he says.
"In 2022 alone we saw 16 different families targeted at 25 countries around the world," Revay says. "In the second half of the year, we also started seeing a new breed of wipers, with some even open source and on GitHub, making it much more readily available for advanced persistent cybercrime campaigns," he says.
A Wiper Malware Medley
Fortinet's report highlights several wiper families that it perceives as presenting a major threat to organizations based on threat actor use over the past year. Among the biggest of them is HermeticWiper, a wiper that erases and overwrites a compromised system's master boot record. The wiper first surfaced in attacks against Ukrainian organizations in 2021. Fortinet said it observed a significant spike in activity last year involving HermeticWiper in November that become even more pronounced in December.
Other wipers that the security vendor observed threat actors using widely in attacks last year include WhisperGate, a malware strain that looks like ransomware on the surface but has no data recovery mechanism; NotPetya; DoubleZero; and IsaacWiper. Analysts have previously identified Russia's military intelligence group as likely being behind WhisperGate. Interestingly, Shamoon, a wiper that was used in an attack that bricked thousands of PCs at Saudi Aramco more than a decade ago, also remained popular among actors last year. Fortinet's data showed Shamoon to be one of the most widely used wipers in destructive attacks last year.
Currently, the main motivation for the use of wiper malware appears to be focused around cyberwar and hacktivism, Revay says. But that doesn't mean threat actors won't use it in other ways, like using wipers to sabotage systems or to destroy evidence of a cybercrime.
"Sabotage is the most obvious reason to deploy a wiper," Revay notes. "Just as Stuxnet was used to destroy centrifuges to slow down Iran's efforts to develop nuclear weapons, wiper malware could be used to destroy data, sabotage development, cause financial loss, or just cause chaos." And using wipers to destroy evidence, while noisy, also gets the job done for attackers and is much simpler than removing all log files and malware, he says.
New Breed of Wipers
Fortinet's report is among several that have highlighted a sharp increase both in disk wiper use and disk wiper variety over the past year. While Fortinet's research showed that threat actors used 16 wiper families in attacks last year, another report from Max Kersten, a malware analyst at Trellix, identified more than 20 wiper families that threat actors used in destructive attacks last year.
Ukrainian organizations remain primary targets, as one recent attack against the country's main news agency involving the use of five separate wiper variants demonstrated. But organizations in other countries are under growing risk of attack, too. Fortinet, for instance, found WhisperGate and HermeticWiper were both most prevalent outside Europe. More organizations in Africa and Asia experienced attacks involving the two wiper families than organizations in Europe. And North America, overall, continues to experience the least wiper activity, the security vendor said.
"Most of the wiper attacks were targeting Ukrainian organizations in 2022, but that could easily have a spillover effect on other countries," Revay says. As an example, he points to one incident where an attack that targeted a Ukrainian satellite communication provider ended up taking 5,800 German wind turbines offline.
In terms of how to prepare and how to respond to a wiper attack, "it is very similar to a ransomware incident," Revay tells Dark Reading. "If the ransom is not paid, which is the recommended approach, a ransomware can be also considered a wiper, because without the decryption key the encrypted data is as good as lost."