Since the beginning of 2022, six new wiper malware variants have been observed, marking an exponential increase on previous years.

Although not formally attributed to a specific nation state, the increasing threat of wiper malware falls as Russian troops continue to advance their invasion of Ukraine.

It has also been noted that the wiper variants observed align closely to the tactics, techniques, and procedures (TTPs) of Russian nation state threats.

Wiper malware is a destructive malware which intends to infect and erase a device of its contents. Although prevalent in the threat landscape as early as 2012, the use of such malware had not been widely observed until this year.

Previous wiper malware attacks have sought to destroy evidence, sabotage the development of new technology and allow threat actors to gain financially, by requesting a ransom from victims.

However, the recent attacks leveraging wipers such as CaddyWiper, HermeticWiper and WhisperGate align with Russian military tactics and therefore, it is highly likely that such wipers have been developed and deployed as part of Russian’s hybrid warfare strategy.

Wiper malware has numerous unique attributes including self-propagating capabilities, leveraging third-party tooling and purporting ransomware, by leveraging TTPs typical of ransomware operators.

Different wiper malware variants also rely on a multitude of wiping techniques including file encryption, overwriting the master boot record of a device (the function instructing the operating system to launch) and overwriting master file table (a catalogue of files existing within a system).

Through combining these capabilities and techniques, threat actors can employ advanced threats to fulfil their motivation and cause widespread disruption.

Although wiper activity had predominately targeted Ukraine, the deployment of AcidRain against organisations in Ukraine had exponential fallout, impacting critical infrastructure in Germany. Therefore, there is a realistic possibility that even those not directly targeted by wiper malware could find themselves affected.

Intelligence has heavily suggested that critical infrastructure and supply-chain organisations remain a target for Russian adversaries with CISA further highlighting an increased risk in a joint advisory published 20th April.

As such, pre-empting attacks, and bolstering defences, can help minimise impact if directly or indirectly affected by such sophisticated threats.

Cyber activity has continued to form a critical component of Russia’s invasion strategy and will likely gain momentumin preceding months. Intelligence specialists at firms including Google and Microsoft continue to report on observed activity however at time of writing, intelligence suggests no significant shift in attack vectors leveraged by Russian nation state threats.

Microsoft have highlighted recommendations to mitigate the risk of continuing Russian-aligned cyber operations including:

• Minimising credential theft and account abuse - implementation of multi-factor authentication, apply least privilege access
• Secure internet-facing systems and remote access solutions
• Leverage anti-malware, endpoint detection and identity protection solutions
• Review and implement best practices for defence in depth

Organisations are encouraged to review the full Microsoft recommendations and continue bolstering defences to pre-empt the continuing risk of nation state and destructive malware threats.

Reporting

Report all Fraud and Cybercrime to Action Fraud by calling 0300 123 2040 or online. Forward suspicious emails to report@phishing.gov.uk. Report SMS scams by forwarding the original message to 7726 (spells SPAM on the keypad).