Historically, there have been two main types of destructive cyberattacks: ransomware attacks conducted by financially motivated criminal actors and wiper attacks, also known as wiper malware, conducted by nation-states or activists to support the interests of a nation or a particular cause.
This two-part blog series examines the increasingly blurred lines between these two threat actors and how we should best prepare to be cyber-resilient in this new reality. Part one, below, focuses on the recent history of ransomware and wiper attacks—and the prevalent users of these types of malware.
The evolution of ransomware actors
Ransomware attacks were initially dominated by a few highly skilled gangs that ran their own infrastructure and could reside inside victim networks for dozens of weeks before finally encrypting their data. Scale is key here. The number of gangs was constrained by the number of human resources that could self-organise into a group with the technical savvy to build the tools, techniques, and procedures to conduct the attacks. Attacks were focused, with dwell times within victim infrastructure, before they encrypted data or were discovered, which could extend into hundreds of days.
More recently, this small number of skilled ransomware groups has given way to an exponentially growing number of less technically skilled “affiliates” that use ransomware-as-a-service (RaaS) platforms to do the heavy lifting of executing the attack. Some in the OG ransomware gangs used their skills to build these RaaS platforms and took a 20% cut—on a much bigger market as a service provider—rather than 100% of the profits from the limited number of attacks they could conduct themselves.
Due to the economies of scale in operating these RaaS platforms, their operators invested heavily in increasing the sophistication of the attacks they can conduct, with device evasion capabilities that can disable EDR/XDR solutions and pivoted from relying on social engineering to gain initial access to credential stuffing and exploiting vulnerabilities.
The rise of wiper attacks
At the same time, we have seen a significant increase in wiper attacks. Two of the nation-states believed to be the most prevalent users of this type of malware are Russia and Iran.
I have personal experience running incident responses to wiper incidents attributed to both countries. And while a ransomware incident can be highly impactful to the victim organisation, its downstream supply chain and its customers, the level of skills, resources, and sheer determination of nation-state actors make incident response and recovery even more challenging in these scenarios. Considering the global geopolitical situation in 2024, these two countries represent a significant threat.
While we live in a time of unparalleled cyber threats from wipers, these attacks have been a tool in the arsenal of nation-states for several years.
2012 Saudi Aramco wiper attack
The consulting practice I used to manage was intimately involved with the aftermath of the August 2012 Shamoon wiper attack on Saudi Aramco. The attack impacted over 30,000 workstations and took several days to respond and recover from despite having almost unlimited resources made available to us. The attack occurred during the Islamic holy month of Ramadan, which was timed to maximise the chances of limited resources being available for incident response and recovery.
Initial access was through an employee clicking on a link within a phishing email. During the investigation, we discovered the attack used a signed driver called RawDisk from Eldos to evade Windows defences that allow direct user-mode access to a hard drive without using calls to the Windows operating system. The wiper systematically identified all directories and files, deleted them, and prevented recovery by overwriting the erased files with images of a burning U.S. flag.
2018 Winter Olympics wiper attack
Six years later, the Olympic Destroyer wiper targeted the 10,000 systems, 20,000 mobile devices, 6,300 WiFi routers, and 300 servers spread across two Seoul data centres used to power the 2018 Winter Olympics in PyeongChang, South Korea.
When the Olympic opening ceremony started, all nine domain controllers at the hub of the infrastructure were systematically wiped. Screens around the dozen Olympic stadiums went black. The security gates leading into every Olympic building locked out everyone attempting to enter. And tens of millions of users of the official Olympic app worldwide were staring at a blank screen.
Still, technically, at war with its neighbour to the north—a skilled cyber adversary—PyeongChang prepared some plans in advance. The Olympics Cybersecurity Advisory Group met 20+ times in the three years running up to the games. They extensively tested their resilience to both traditional business continuity and cyberattack scenarios only months before.
The team in PyeongChang quickly set about creating a clean room environment where they were able to create an isolated capability to power the bare minimum services required to allow the physical access control and screens in the stadium, with just minutes to go before the end of the opening ceremony. While they brought these minimal services up, their attempts to recover the broader systems required for the Olympics failed. As soon as they recovered systems from backups or rebuilt them, they would become reinfected within minutes and go down.
They’d mistakenly treated a cyberattack like a traditional disaster recovery scenario. They recovered from their last backup and skipped over the incident response stages of investigating the incident to understand the root cause and mitigate those threats.
Eventually, after several unsuccessful recovery attempts, the team in PyeongChang decided to create an isolated investigatory environment—what we refer to as a clean room in digital forensics and incident response—where they could systematically investigate how the incident unfolded and hunt down the root cause. Once the root cause was found, a third-party security contractor working on behalf of the Pyeongchang Olympic organisers created an Indicator of Compromise that helped isolate and eradicate the persistence mechanisms, and the remaining systems could be brought up.
Volt Typhoon
In addition to the threat of wipers from Russia and Iran, a new threat actor may be laying the groundwork for a future wiper attack. Volt Typhoon is suspected of being a threat actor associated with the People’s Republic of China—but it does not demonstrate the usual pattern of targets and objectives of Chinese threat actors. China’s objectives to date have focused on cyber espionage or intelligence-gathering operations. But Volt Typhoon is instead targeting critical national infrastructure such as communications, energy, transportation, and water and wastewater systems without evidence of data exfiltration.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) determined that Volt Typhoon actors are pre-positioning themselves to enable lateral movement to assets that control critical infrastructure to disrupt functions. CISA notes that Volt Typhoon have strong operational security and are adept at living-of-the-land attacks, allowing for long-term undiscovered persistence. CISA suggests that there is evidence that the threat actor has been present in some victim’s infrastructure for over five years.
Key takeaway
Whether in response to ransomware or wiper attacks, having the right process and environment in place to recover and investigate the incident and eliminate the vulnerabilities, gaps in security, and persistence mechanisms is critical to prevent further attacks and outages. This is especially true in attacks launched by nation-states adept at stealthfully maintaining persistence for hundreds of days, potentially meaning all generations of backups may have elements of the attack path in them.
Learn more about the Cohesity clean room solution
Watch the video below to learn more about Cohesity clean room solution:
