To quote Costin Raiu, director of the Global Research and Analysis Team (GReAT) at Kaspersky Lab, most of the malicious files we know can be characterized in terms of criminal software – computer programs injected into our devices that are designed to steal our confidential and personal data, resources on the computer, and even direct money. The second, more common, category is all malicious programs that are specifically designed for cyberespionage and are often used by many fairly serious actors such as states, multinational corporations, and generous upper-class donors. The third, not so numerous group are programs that only have a destructive effect – sometimes they are called wipers.
As it turns out, the first malicious programs were purely destructive. In the late 1990s, the Internet was not yet such a widespread treasure of valuable data compared to the present day. Moreover, organized cybercriminal groups were yet to see the potential of „mining” financial data, which was an easily accessible resource at the time. Thus, just like modern ransomware programs, criminals of that time created programs that encrypted computer drives or damaged data in other ways. The activities of the first Trojans and their creators were rather close to the category of „funny pranks”. As far as I know, money was not a significant incentive for this type of activity.
In fact, malicious wipers never disappeared for good. Their mechanism of action has only been revitalized with new possibilities in the dark times of mutual cyber attacks: both between states and in state-corporation relations. In fact, over the past three years, our friends at SecureList have investigated no fewer than 5 standalone wipers .
The first one, simply called Wiper , was so successful that it covered thousands of Iranian computers that were infected, after which the malware completely destroyed itself and all traces it left behind. For this reason, no one has been able to examine samples of this malware. Compared to other destructive attacks, this threat looked like a messy novel – infecting random machines blindly. Nevertheless, Wiper has become an important element in the history of cyber attacks – whoever created it for whatever motive could have inspired further malware attacks.
The ability to reach tens of thousands of computers by wiper software – and all this with one click – makes cyberarms aware of the potential of this tool
Another pest – Shamoon- is believed to have had its roots in the mysterious Wiper. The strain of this virus has been traced internally at one of the world’s most valuable companies, and certainly the largest daily oil producer, Saudi Aramco. Shamoon did a „quick job” at the Saudi Arabian Oil Company in August 2012, destroying the contents of more than 30,000 corporate workstations. Some believe the software was developed in Iran, despite the fact that one hacker group has admitted to the attacks. It does not change the fact that this time it was not possible to cover the track perfectly, as was the case with the Wiper. In diagnosing Shamoon, the researchers concluded that the methods used were very primitive, but devilishly effective.
Next up was Narilam , a cunning type of malware that aimed to infect the databases of some financial applications located almost exclusively in Iran. Narilam clearly stood out from previous threats – his actions were slow, designed with long-term sabotage in mind. Kaspersky Lab has identified many different versions of this virus, some of which were dated 2008. Long-term exposure to pests like Narilam can be much more dangerous than you might think in the long run.
Right behind Narilam, the Groovemonitor (also known as Maya) appeared . The Iranian counterpart of the computerized crisis intervention team first discovered the virus in 2012 – it was then named. It was a relatively simple threat, but it attacked the victim’s devices more with the force of a club than with surgical precision. The groovemonitor had a defined range of activity limited by a fixed period of time. At a certain point in time, it destroyed all files on all drives – from D to I.
The most recent wiper threat was Dark Seoul , which was used in coordinated attacks on banks and media companies in South Korea. This action also differed from the previous two attacks combined for at least two reasons. First of all, it did not cover the Persian Gulf countries (Iran or Saudi Arabia). Secondly, its creators were probably more interested in gaining fame than in carrying out a covert operation, given the open nature of the operation.
„The ability of a wiper to reach tens of thousands of computers – and with a single click – makes cyberarms aware of its potential in the hands of a wiper,” Raiu emphasized in the SecureList report.
Wipers pose a third-rate threat in our hierarchy, which means that neither you nor I should be particularly concerned about them. Nevertheless, there are not many defenses that everyday internet users can use to protect their water or energy supplier from malware that can attack industrial control systems (hardware and software that control energy networks, the entire production process, etc. ). These are the types of threats that should be scrupulously monitored and neutralized by specialized companies dealing with network security, companies managing critical infrastructure and – certainly the most important entity – governments.
The good news – at least for the people of the United States and the country’s closest allies – is that the US Congress is about to vote on the cross-party, private-sector-backed National Cybersecurity and Critical Infrastructure Protection Act of 2013. This document is primarily intended to promote the exchange of information on current threats between the government and companies managing critical infrastructure. Similar legal arrangements are currently under consideration in many other countries around the world.