Iran May Deploy Wiper Malware in Response to U.S. Military Strike, Experts Warn

Wiper malware erases the contents of a machine's hard drive and makes it impossible for it to reboot

3 min read
Illustration of a hand wiping a computer, in the colors of the Iranian flag
Illustration: Oivind Hovland/Getty Images

Amidst rising tensions after the United States killed Qassem Soleimani, the chief of Iran’s Quds Force, in a drone strike in Baghdad last week, security experts and U.S. government officials warn that Iran may retaliate with cyberattacks.

Iran-based attack groups have expanded their digital offensive capabilities significantly since 2012, when they launched crippling distributed denial-of-service attacks against financial services companies. Since then, the cybersecurity arm of Iran’s Islamic Revolutionary Guard Corps, and private sector contractors acting on behalf of the government, have added tools to their arsenals.

Those tools enable attackers to execute account takeovers and spear phishing campaigns to steal intellectual property and sensitive information, and include destructive malware designed to disrupt operations, according to the National Cyber Awareness System alert issued by the U.S. Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) earlier this month.

Iran has also “demonstrated a willingness” to use wiper malware, CISA said in its 6 January alert. Wipers refer to a category of malware which erase the contents of the hard drive of an infected machine and then destroy the computer’s master boot record to make it impossible for the machine to boot up again. Just like any other type of malware, wipers rely on various methods for the initial infection, and once in, can steal information or execute unauthorized code. The difference is that wipers don’t care about being stealthy because the primary purpose is to render the machine unusable.

“Don’t expect DDoS this time, [Iran] won’t view it as a proportionate response,” says Hank Thomas, the CEO of cybersecurity venture capital firm Strategic Cyber Ventures. “The Iranians will want to respond with something violent in the physical domain, and destructive in the cyber domain.”

The destructive data-wiping malware used in the 2012 Shamoon attack to destroy tens of thousands of computers belonging to Saudi oil giant Aramco is believed to be of Iranian origin. In 2015, James R. Clapper, then-U.S. Director of National Intelligence, told a Congressional committee [PDF] that the information-stealing malware which infected and erased the hard drives of Sands Las Vegas Corporation computers in 2014 was linked to Iran.

Just last week, the Saudi National Cybersecurity Authority (NCSC) identified an attack using the Dustman wiper malware against an unnamed entity in the Middle East. While Saudi authorities themselves did not name Iran as the culprit, analysts familiar with the attack told CyberScoop that Dustman was technically similar to past Iranian activities. Sources told ZDNet the victim was Bapco, Bahrain’s national oil company. 

Saudi authorities stated with “moderate confidence” that the attackers broke into the victim’s networks by “exploiting one of the remote execution vulnerabilities in a VPN appliance that was disclosed in July 2019.” A 9 January U.S. Federal Bureau of Information advisory, first reported by CyberScoop, noted that Iranian groups frequently target vulnerabilities in virtual private network (VPN) applications.

CISA has also issued several advisories about multiple vulnerabilities in VPN servers from FortiNet, Palo Alto Networks, and Pulse Secure over the past year. The most recent advisory focused on Pulse Secure VPN servers, where attackers were successfully exploiting vulnerabilities despite a patch being available since April 2019. “Unpatched Pulse Secure VPN servers continue to be an attractive target for malicious actors,” CISA said in that alert on 10 January.

Even as CISA warned about heightened risks of cyberattacks from Iran and its proxies, the agency said in its public advisory [PDF] that organizations should assess how attractive they are to Iranian attack groups. Organizations may be targeted because their business model intersects with Iranian interests, or to gain access to, or information about, their customers and competitors, says Rick Holland, chief information security officer and vice president of strategy at digital risk protection company Digital Shadows. Businesses should look beyond their own threat models to see how Iranian interests might intersect with their supply chains.

Wiper malware has not yet been widely deployed, but extortion threat models and wiper tabletop exercises can help organizations plan how they would respond to wiper attacks, Holland says. Elements of ransomware recovery planning can be used for wiper malware planning—particularly the parts that have to do with disaster recovery and maintaining business continuity. More importantly, Holland says, work done now on responding to wiper malware could also prove useful against a multitude of other threats—not just Iran-based attackers.

“Threat du jour thinking isn’t an adequate defense model,” Holland says. “If a nation-state is going to target you, detection and response will be your fall back.”

The Conversation (0)