Getty Images/iStockphoto

SentinelOne discusses the rise of data-wiping malware

During a Black Hat 2022 session, researchers showed how expectations of cyber war may differ from the reality.

Using the Ukraine invasion timeline, full of DDoS attacks, hacktivists and data-wiping malware, SentinelOne researchers examined the real-world impact of cyber war.

Tom Hegel, senior threat researcher at SentinelOne, and Juan Andrés Guerrero-Saade, principal threat researcher at SentinelOne, kicked off their Black Hat 2022 session Tuesday by calling the term cyber war "terrible." From a Western context, Guerrero-Saade said it is associated with its "own domain of warfare -- self-contained and self-sufficient -- which is not a reality of war."

To demonstrate the reality of the ongoing conflict, Hagel and Guerrero-Saade analyzed the preparation leading up to the invasion, looked at instances that occurred in the first week or months, broke down known wipers, and sophistication levels and goals of those attacks, whether for destructive purposes or espionage. They observed certain aspects that demonstrated a change in the cybersecurity industry related to this conflict.

One prime example was the increased use of data-wiping malware, such as HermeticWiper, AcidWiper, WhisperGate and CaddyWiper.

"Before this, there was maybe a dozen wipers used by nation-states. Wipers weren't something you saw every day," Guerrero-Saade said during the session.

Since the beginning of 2022, SentinelOne has observed at least seven strains of wiper malware targeting Ukraine. An important question addressed during the session was: Why are there so many wipers? The researchers said they believe it reflects more on a biased observation and a lack of telemetry.

"What you're seeing is the activity we're meant to see. The reason wipers weren't very popular with nation-states before is you had to make a decision to lose the access you had, that you could have had for two years, in order to make a political statement," Guerrero-Saade said during the session.

Guerrero-Saade told SearchSecurity that, while most of the attacks have been wipers and DoS attacks, the discovery of new industrial control system (ICS) malware called Incontroller was alarming.

"That was a professional job by a skilled contractor to create new [ICS] malware, and it's great that they discovered it before it was deployed, but we have no idea where they were planning to use it," he said.

Varying levels of preparation

The researchers also brought up the question of whether the uses were random or tactical. Believing that Russians are incredibly well organized and deploying their data-wiping malware coordinated with kinetic attacks, for example, is giving them too much credit, according to Guerrero-Sade.

The earliest data SentinelOne had came from ESET and dates to October 2021, which speaks to the level of preparation. There is some tooling that suggests that some of it had already been sitting around, the researchers said, while others were thrown together to try and support the war effort.

While examining the Linux side of attacks, they observed a decent amount of obfuscation. Attacks weren't just deleting directories and discs, but also purging memory.

However, after deobfuscating, they found the main logic was simple.

"You can complain as much as you want about Windows, but this is a 200-line script that can just break a Linux system," Guerrero-Saade said.

From their perspective, on the Linux side, Hegel said it appears the malware and tools were slammed together. Guerrero-Saade also brought up the possibility that it could be a statement to how bad Linux security is and that they just didn't catch it before.

Reality versus expectations

One concern among the infosec community that stemmed from the war was the possibility of spillover attacks, similar to the effects of NotPetya, a series a malware attacks that hit Ukraine in 2017.

To spread HermeticWiper, a wormable component ESET dubbed HermeticWizard was deployed. Guerrero-Saade emphasized the importance of not drawing unnecessary correlations from HermeticWizard to NotPetya.

"We are sort of expecting to see the same thing, these wipers that are going to spread themselves all over the place, but we have seen not what I would call 'restraint,' but some sort of operational decision to not let things spread like wildflower," Guerrero-Saade said during the session. "Instead, they used these accesses in more contained ways."

While unsuccessful the second time around, the researchers found it particularly interesting to see the return of Industroyer, called Industroyer2 by ESET. The malware took down Ukraine's power grid in 2016.

Another reality was how quickly new developments occurred. Every week, the researchers observed new targets and new malware. Keeping track of those threats and the reality of what was happening on the ground proved difficult. For example, who was telling the truth? That became increasingly difficult after the invasion, with hacktivists such as Conti, who initially publicly supported Russia.

Guerrero-Saade said it was an interesting shift from what they see as the norm in the threat landscape.

Hegel told SearchSecurity that, while a lot of Russian cyber attacks against Ukraine have been successful, there have been a lot of misses as well. One example was PartyTicket, which did not work for ransomware as intended.

"They were going crazy trying to get into Ukrainian media and telecom organizations, slamming them with mass phishing attempts. But it was a spray-and-pray [approach], and it was poorly done," Hegel said.

During the session, the researchers applauded Ukraine's CERT-UA for providing up-to-date alerts, which they said made a massive difference to the global perceptions to what was happening. It also enabled threat researchers to dive in and examine.

"A lot of people don't talk about this, but the industry as a whole relied on those alerts to get early insight into activity," Guerrero-Saade said during the session.

Going forward, Hegel said there is so much unknown. He also brought up the potential for increased activity moving into winter.

Another possibility Guerrero-Saade addressed to SearchSecurity is that Russia may attack Western European nations that have supported Ukraine and moved away from Russia as a major supplier of oil and gas.

Security news editor Rob Wright contributed to this report.

Dig Deeper on Threats and vulnerabilities

Enterprise Desktop
Cloud Computing