A wiper is a type of malware with a single purpose: to erase user data beyond recovery. Wipers are used to destroy computer networks in public or private companies ranging from industrial to government sectors. Threat actors mostly use wipers to cover up traces left after an intrusion, weakening their victim’s ability to respond.

Broadly, there are two mechanisms that wiper malware employ:

1. Overwriting system components, such as the Master Boot Record (MBR) or the Master File Table (MFT). This cripples the operability of the victim’s computer and prevents information from being accessed, although file contents remain untouched and may still be recoverable.
2. Overwriting or encrypting files, along with any backups found on the computer, to permanently delete the victim’s data and information. 

Threat actors today typically incorporate a mix between the two approaches to achieve the greatest damage in the shortest amount of time possible.

Some wipers go one step further and attempt to destroy the contents of the disk itself, not just files. This approach provides several advantages to attackers and makes recovery more difficult, if not impossible. Because files may be fragmented across the disk, wiping the files will require the hard disk drive actuator arm to commute to multiple locations, thus decreasing wiping speeds. Overwriting the raw sectors in successive order is advantageous because it drastically increases the speed of the wiping operation. This also applies to modern solid state drives where sequential access is still more performant than random access. 

Wiping raw sectors also removes any file system information like partitioning tables, journaling, parity data, metadata and even OS protected files. These operations are equivalent to raw full-disk formatting, ensuring that files cannot be recovered via any forensic methods.

Wiper malware is a prime example of the convergence between APT-style activity and general cybercrime. Wipers are a tactic we typically observe being used by nation state actors, while non-APT cybercrime groups usually distribute malware such as ransomware.

Wiper malware isn’t new—the first instance surfaced in 2012—yet we’re seeing a growing trend of cyber criminals using these more destructive and sophisticated attack techniques and doing so in OT environments. In the first six months of 2022, we observed at least eight significant new wiper variants—WhisperGate, HermeticWiper, AcidRain, IsaacWiper, DesertBlade, CaddyWiper, DoubleZero, and Industroyer.V2—used by attackers in various targeted campaigns against government, military, and private organizations.

This number is important because it’s nearly as many total wiper variants as have been publicly detected in the past 10 years. While we saw a substantial increase in the use of this attack vector in conjunction with the war in Ukraine, the use of disk-wiping malware was also detected in 24 additional countries. Microsoft has counted 237 cyber-operations against Ukraine related to war, including 40 destructive attacks using wiper malware.

Hackers allegedly connected to the Iranian government have been accused of targeting diamond companies in South Africa, Israel and Hong Kong with a wiper malware built to destroy data. 

While there have not been reports of any cyber threats to Pakistani organisations in relation to the events in and around Ukraine, organisations are encouraged to take the necessary precautionary measures to defend themselves against wiper malware attacks amidst their intensified use. These measures are similar to those to defend against ransomware. For example, organisations may consider:

• Enforcing best practices, such as creating regular offline and off-site backups; and
• Imposing network monitoring and reviewing system logs to ensure swift detection of anomalies and prevent widespread damage should a breach occur.