Now you see it, now you don't: wipers in the wild

Wednesday 3 October 14:30 - 15:00, Green room

Saher Naumaan (BAE Systems)



Wipers are an APT’s new best friend. Traditionally destructive malware appears rarely in cyber espionage and generally runs counter to the conventional interests of an APT - intelligence collection/data exfiltration, persistence, and covert access, for example. Wiper malware now seems to be manifesting more often, emerging in APT toolkits and being found in at least five wiper attacks occurring in just 2017, despite only a handful of other major attacks in the last decade. The minimal instances of destructive operations over the last several years suggests how cautious APT groups are about using wipers. Does this mean the motivations of state actors are changing? What are the different uses of these wipers?

This paper will examine three different classifications of wipers through examples of various politically targeted attacks: espionage, sabotage and diversion. Espionage will reference the usual motivations of state actors, while incorporating a new tactic; this will also describe the unusual appearances of wiper functionality in intrusions without its use in the wild. Sabotage will cover prominent examples such as Narilam, Shamoon, DarkSeoul and BlackEnergy, which show the effects of deliberate system destruction. Finally, 2017 will highlight the emergence of a new attacker strategy behind wiper use in NotPetya and the Taiwan SWIFT bank heist - diversion.

This paper will argue that wipers have become a low-cost way for state actors to conduct destructive attacks, which have significantly more impact on victims, as well as impede investigation into primarily non-destructive attacks. It will evaluate the new trend among APTs and conclude with an assessment of costs for defenders, both political and financial.



Other VB2018 papers

Tracking Mirai variants

Ya Liu (Qihoo)
Hui Wang (Qihoo)

Under the hood - the automotive challenge

Inbar Raz (Argus Cyber Security)

Last-minute paper (TBA)