Now you see it, now you don't: wipers in the wild

Presented at VB2018, Oct. 3, 2018, 2:30 p.m. (30 minutes).

Wipers are an APT's new best friend. Traditionally destructive malware appears rarely in cyber espionage and generally runs counter to the conventional interests of an APT - intelligence collection/data exfiltration, persistence, and covert access, for example. Wiper malware now seems to be manifesting more often, emerging in APT toolkits and being found in at least five wiper attacks occurring in just 2017, despite only a handful of other major attacks in the last decade. The minimal instances of destructive operations over the last several years suggests how cautious APT groups are about using wipers. Does this mean the motivations of state actors are changing? What are the different uses of these wipers?

This paper will examine three different classifications of wipers through examples of various politically targeted attacks: espionage, sabotage and diversion. Espionage will reference the usual motivations of state actors, while incorporating a new tactic; this will also describe the unusual appearances of wiper functionality in intrusions without its use in the wild. Sabotage will cover prominent examples such as Narilam, Shamoon, DarkSeoul and BlackEnergy, which show the effects of deliberate system destruction. Finally, 2017 will highlight the emergence of a new attacker strategy behind wiper use in NotPetya and the Taiwan SWIFT bank heist - diversion.

This paper will argue that wipers have become a low-cost way for state actors to conduct destructive attacks, which have significantly more impact on victims, as well as impede investigation into primarily non-destructive attacks. It will evaluate the new trend among APTs and conclude with an assessment of costs for defenders, both political and financial.


Presenters:

  • Saher Naumaan - BAE Systems
    Saher Naumaan Saher Naumaan is a threat intelligence analyst at BAE Systems Applied Intelligence and a rising star in the industry. Her current research is on state-sponsored cyber espionage with a focus on threat groups and activity in the Middle East. Saher specialises in analysis covering the intersection of geopolitics and cybersecurity, and regularly speaks at events and conferences around the world. Earlier this year, she also organised RESET, Europe's first cybersecurity conference with an all-female speaker line-up. Prior to working at Applied Intelligence, Saher graduated from King's College London with a Master's degree in intelligence and security, where she received the Barrie Paskins Award for Best MA dissertation in War Studies. @saffronsec

Links:

Similar Presentations: