Now you see it, now you don't: wipers in the wild

Wednesday 3 October 14:30 - 15:00, Green room

Saher Naumaan (BAE Systems)



Wipers are an APT’s new best friend. Traditionally destructive malware appears rarely in cyber espionage and generally runs counter to the conventional interests of an APT - intelligence collection/data exfiltration, persistence, and covert access, for example. Wiper malware now seems to be manifesting more often, emerging in APT toolkits and being found in at least five wiper attacks occurring in just 2017, despite only a handful of other major attacks in the last decade. The minimal instances of destructive operations over the last several years suggests how cautious APT groups are about using wipers. Does this mean the motivations of state actors are changing? What are the different uses of these wipers?

This paper will examine three different classifications of wipers through examples of various politically targeted attacks: espionage, sabotage and diversion. Espionage will reference the usual motivations of state actors, while incorporating a new tactic; this will also describe the unusual appearances of wiper functionality in intrusions without its use in the wild. Sabotage will cover prominent examples such as Narilam, Shamoon, DarkSeoul and BlackEnergy, which show the effects of deliberate system destruction. Finally, 2017 will highlight the emergence of a new attacker strategy behind wiper use in NotPetya and the Taiwan SWIFT bank heist - diversion.

This paper will argue that wipers have become a low-cost way for state actors to conduct destructive attacks, which have significantly more impact on victims, as well as impede investigation into primarily non-destructive attacks. It will evaluate the new trend among APTs and conclude with an assessment of costs for defenders, both political and financial.

 

Saher-Naumaan-web.jpg

Saher Naumaan

Saher Naumaan is a threat intelligence analyst at BAE Systems Applied Intelligence and a rising star in the industry. Her current research is on state-sponsored cyber espionage with a focus on threat groups and activity in the Middle East. Saher specialises in analysis covering the intersection of geopolitics and cybersecurity, and regularly speaks at events and conferences around the world. Earlier this year, she also organised RESET, Europe’s first cybersecurity conference with an all-female speaker line-up. Prior to working at Applied Intelligence, Saher graduated from King’s College London with a Master’s degree in intelligence and security, where she received the Barrie Paskins Award for Best MA dissertation in War Studies.

@saffronsec



Other VB2018 papers

Starving malware authors through dynamic classification

Karishma Sanghvi (Microsoft)
Joe Blackbird (Microsoft)

Lazarus Group: one mahjong game played with different sets of tiles

Peter Kalnai (ESET)
Michal Poslusny (ESET)

The dark side of WebAssembly

Aishwarya Lonkar (Symantec)
Siddhesh Chandrayan (Symantec)

Back to VB2018 Programme page

We have placed cookies on your device in order to improve the functionality of this site, as outlined in our cookies policy. However, you may delete and block all cookies from this site and your use of the site will be unaffected. By continuing to browse this site, you are agreeing to Virus Bulletin's use of data as outlined in our privacy policy.