Fortinet: Use of wipers expanding beyond Ukraine to 24 countries

The use of wiper malware is increasingly expanding beyond the Ukraine conflict, according to research released today by cybersecurity giant Fortinet, with new variants popping up at an unprecedented rate. 

Wiper malware has been used heavily by hacking groups supporting Russia’s invasion of Ukraine. 

Recorded Future’s Insikt Group has tracked nine different wipers used in Ukraine, including  WhisperKill, WhisperGate, HermeticWiper, IsaacWiper, CaddyWiper, and DoubleZero. Microsoft researchers said in April that they had observed nearly 40 destructive cyberattacks targeting hundreds of systems in Ukraine.  

Fortinet security researcher Gergely Révay told The Record that wiper malware is increasingly reaching targets outside of Ukraine. While versions of wiper malware have previously been seen in Ukraine, Japan and Israel, it only recently became a truly global phenomenon. Révay said Fortinet detected wiper malware in 24 countries in the first half of the year.

“These wipers were not only related to the Ukraine war,” Révay said, although many were. “We saw significant spillover from attacks against Ukraine. In many cases the main target was probably a Ukrainian organization, but due to the interconnectedness of the world, these attacks can easily affect other countries.” 

In the report released Wednesday, Fortinet researchers called the evolution in wiper usage “disturbing.”

The group found at least seven major new wiper variants in the first six months of 2022 that were used in various campaigns against government, military, and private organizations.

That amount nearly equals the total number of variants that were publicly detected between 2012 and 2021.

“We are not aware that any of these recent wipers were used by cybercriminals or commercial hackers, but this is also expected,” Révay explained. 

“The ‘problem’ with wipers is that they are very difficult to monetize, since they are purely destructive and don’t provide any leverage to the attacker over their victims.”

Fortinet noted that the war in Ukraine has “fueled a substantial increase in disk wiping malware among threat actors primarily targeting critical infrastructure.”

The company said the incidents were part of a broader increase in attacks on operational technology networks, which in 2022 faced several in-the-wild exploits on a wide range of devices and platforms.

The company suggested organizations have backups stored off-site and offline as one way to defend against wiper malware attacks. 

In April, the Cybersecurity and Infrastructure Security Agency (CISA) added several strains of wiper malware to its advisory on tools used to attack Ukrainian organizations.

CISA and the FBI released the original advisory in late February and updated it on Thursday to add additional indicators of compromise for the WhisperGate malware and technical details for HermeticWiper, IsaacWiper, HermeticWizard and CaddyWiper destructive malware.

WhisperGate was used during attacks on dozens of Ukrainian government websites in January. It masquerades as ransomware but simply wipes infected devices instead of offering opportunities to pay a ransom. 

There was international outcry in May when the United States and European allies blamed Russia for an “unacceptable” wiper malware attack on satellite internet provider Viasat in February.

In that attack, the AcidRain wiper malware was used to infect the company’s KA-SAT satellite and disable the modems of tens of thousands of European customers. The incident also disconnected remote access to around 5,800 wind turbines in Germany that relied on Viasat routers for remote monitoring and control.

Get more insights with the
Recorded Future
Intelligence Cloud.
Learn more.
No previous article
No new articles

Jonathan Greig

Jonathan Greig

is a Breaking News Reporter at Recorded Future News. Jonathan has worked across the globe as a journalist since 2014. Before moving back to New York City, he worked for news outlets in South Africa, Jordan and Cambodia. He previously covered cybersecurity at ZDNet and TechRepublic.