U.S. Cybersecurity Agency Warns of Wiper Malware Attacks

Tension is rising between the United States and Iran following the downing of a U.S. Global Hawk surveillance drone close to the Strait of Hormuz and the recent mine attacks.

Less visual are the attacks on IT systems. The Washington post recently reported that the United States had conducted a successful cyberattack on the Islamic Revolutionary Guard Corps, part of the Iranian military, which is believed to have been involved in the mine attacks.

Iranian-affiliated hacking groups have conducted cyberattacks on U.S. industries and government agencies and those attacks are increasing in frequency. So much so that the Director of the U.S. Cybersecurity and Infrastructure Security Agency (CISA), Chris Krebs, sent out a warning on Twitter about the increased risk of attack.

“CISA is aware of a recent rise in malicious cyber activity directed at United States industries and government agencies by Iranian regime actors and proxies,” said Krebs.

Threat actors affiliated with Iran have been using wiper malware in targeted attacks on businesses, government agencies, industries, and infrastructure. Whereas ransomware encrypts files with the aim of receiving a ransom payment, the purpose of wiper malware is to permanently destroy data and wipe systems clean.

Wiper malware has previously been used in major attacks, some targeted, others less so. In 2012, Saudi Aramco, a Saudi Arabian oil firm, was attacked with a wiper malware variant called Shamoon. The malware wiped tens of thousands of computers.

More recently were the NotPetya attacks. While initially thought to be ransomware, it was later discovered there was no mechanism for file recovery and the malware was a wiper. Some companies were hit hard. The shipping firm Maersk suffered losses of around $300 million due to NotPetya. Global losses are estimated to be between $4-8 billion.

Hackers working for the Iranian regime commonly gain access to computers and servers through the use of phishing, spear phishing, credential stuffing, and password spraying.

“What might start as an account compromise, where you think you might just lose data, can quickly become a situation where you’ve lost your whole network,” warned Krebs.

As with ransomware, recovery from a wiper malware attack is reliant on backups, except there is no safety net as a ransom cannot be paid to recover data. It is therefore essential that a working copy of all data is maintained, with one copy stored securely off-site on a non-networked, non-internet exposed device.

Even with a working copy of data, recovery can be time consuming and costly. It is therefore important to ensure that solutions are in place to block the main attack vectors.

A spam filtering solution with advanced anti-malware capabilities is therefore required to block email-based attacks. A web filtering solution can prevent users from visiting malicious websites or inadvertently downloading malware and employees should be provided with security awareness training to help them recognize potential threats.

Standard cybersecurity best practices should be adopted such as ensuring strong password policies are implemented and enforced, multi-factor authentication is implemented, all software is kept up to date and patched are applied promptly. IT departments should also ensure permissions are set to the rule of least privilege.