Destructive malware: an ever-evolving threat

Threat Intel’s ‘History of…’ series will look at the origins and evolution of notable developments in cybersecurity.

There have been a number of high-profile attacks involving destructive malware in recent times

Destructive malware has been around since the 1980s, but has come to increased prominence again in recent times with the emergence of new strains of malware and high-profile attacks.

In the beginning: Floppy disks and bragging rights

Destructive malware is commonly designed to destroy or delete files on the computers or hardware it infects, though some types of destructive malware have different aims.

Originally, destructive malware primarily presented as boot sector or Master Boot Record (MBR) viruses, which were primarily spread through floppy disks. The CIH virus from 1998 is a famous example of this threat type and is believed to have infected more than 50 million computers. CIH’s payload was highly destructive to the systems that fell victim to it, with it overwriting critical information, and in some cases destroying the system BIOS.

These types of infections disappeared from the scene for a number of reasons: the disappearance of floppy disks; improvements in BIOS architecture that prevented any modification to the first sector of a computer’s hard drive, and the changing motives of cyberattackers.

Decades ago, the primary motivations of the authors of malicious malware was often to simply showcase their skills and gain some notoriety — they were hobbyists, not professionals. When cybercrime, and cybercriminals, became more professional and more focused on making money, these types of attacks fell out of favor, as you cannot easily monetize a computer that has been destroyed.

However destructive attacks have resurfaced in the past 5 years, driven by more political motives.

Modern attacks

Most incidents of destructive malware in more recent years have little to do with gaining notoriety and are not the work of hobbyists, but the product of highly-skilled cyberattackers, and designed to send a clear message.


The Stuxnet attack involved the exploitation of four zero-day vulnerabilities

Probably the most famous example of destructive malware of recent times, Stuxnet is a computer worm that targets industrial control systems, and was used to launch a cyberattack designed to sabotage the centrifuges of an Iranian nuclear plant.

The incredibly complex attack, which was discovered in 2010, involved the exploitation of four zero-day vulnerabilities, which was unheard of in previous threats. It was the first threat known to target Programmable Logic Controllers (PLCs), devices used to control systems in an industrial environment. It also included a Windows rootkit, sophisticated antivirus evasion techniques, complex process injection and hooking code, network infection routines, peer-to-peer updates, and a command-and-control (C&C) interface.

Stuxnet was primarily spread through infected USB drives, as well as through infected project files — the files used to program certain industrial computers.

What made Stuxnet really stand out was that it was designed to leap from the digital world to the physical world. The ultimate goal of Stuxnet was to manipulate the physical equipment attached to specific industrial control systems so the equipment acted in a way that was programmed by the attacker. In the case of the Iranian nuclear plant, it was designed to cause the centrifuges of the plant to fail.

No one has ever claimed responsibility for creating the Stuxnet worm, however, many experts believe that a virus of its complexity could only have been created with the backing of a nation state.

Symantec researchers carried out extensive investigations into Stuxnet, with two of the Symantec researchers who were involved having recently featured in a documentary on it titled Zero Days.


Shamoon targeted one of the largest oil producers in the world in Saudi Arabia

Shamoon is a highly destructive disk-wiping malware that first appeared in August 2012 when it was used in a cyberattack that hit an estimated 30,000 computers at one of the largest oil producers in the world in Saudi Arabia.

The computers had their MBRs wiped and replaced with an image of a burning US flag, rendering them unusable.

Shortly after this attack became public, a Qatari oil company was attacked in a similar fashion.

Shamoon consists of three components: a dropper, a wiper, and a reporter module.

The dropper creates all the required files on the system so it can start itself with Windows, and also attempts to copy itself to accessible network shares and execute itself remotely if successful. The wiper acts as a ‘time bomb’ that is only activated when a hardcoded configuration date has passed. It then starts overwriting files and finishes the computer off by wiping the MBR in the same way. The reporter sends back the domain name, IP address, and number of files overwritten to the C&C server.

Having carried out these two attacks, Shamoon disappeared until January this year, when it was used in a fresh wave of attacks against targets in Saudi Arabia. The malware was largely the same as that used in 2012, except this time the infected computers displayed a picture of Alan Kurdi, a three-year-old Syrian refugee who drowned in the Mediterranean in 2015.

Attacks on Ukraine’s power grid

An attack in December 2016 saw parts of Kiev, the capital of Ukraine, lose power

In December 2015, hackers used destructive malware to carry out a cyberattack against three energy distribution companies in Ukraine.

The attack led to substations being shut down and hundreds and thousands of customers in the affected regions being left without electricity.

The cyberattack was also accompanied by a barrage of phone calls being made to the electricity company’s technical support centers in what was essentially a denial of service (DoS) attack.

This attack is believed to have been the first successful cyberattack affecting a country’s power grid.

Spear-phishing emails are believed to have been deployed in this attack in order to allow the attackers to gain remote access to computers within the power stations. It is believed the destructive malware used in the attack was Disakil, which is a multi-stage threat that renders infected systems unusable by using a number of relatively simple but effective techniques such as overwriting the MBR and overwriting certain file types with junk data. It also attempts to cover its tracks by clearing Windows log files and destroying the malware structure before restarting the system.

Symantec research subsequently found that Disakil was also used against media company targets in Ukraine sometime before the energy grid attack.

The use of a Trojan known as Black Energy in both these attacks means they have been linked to Sandworm, the Russian threat group behind the Black Energy Trojan.

Another extremely similar attack on a power distribution station that affected parts of the capital Kiev in December 2016 was also caused by a cyberattack, according to reports, with some security researchers linking it to the 2015 attack.

Lazarus group

The Lazarus group has targeted South Korea and the US in destructive attacks

Lazarus has been linked to destructive cyberattacks against South Korean and US targets since 2009.

Symantec uncovered evidence that indicated the group carried out attacks over four years from 2009 to 2013. The first major attack in July 2009 began on US Independence Day and targeted various websites in South Korea and the US with distributed denial of service (DDoS) attacks. Another attack in March 2011 targeted US and South Korean websites in a similar way. However, as well as being a DDoS attack, this attack also overwrote files and destroyed the MBR.

In March 2013, a major cyberattack impacted several South Korean banks and local broadcasting organizations. The attack included the defacement of a Korean ISP/telecoms provider and the crippling of a number of organizations’ servers. A number of the sites affected had their hard drives wiped.

An information-stealing attack against South Korean financial companies in May that year is also believed to have been the work of Lazarus.

Meanwhile, on June 25, 2013, the anniversary of the start of the Korean War, a DDoS attack that took place against a government website was also linked to Lazarus.

Aggressive attacks linked to Lazarus continued in 2014 and the group was linked to Backdoor.Destover, a highly destructive Trojan that was the subject of an FBI warning after it was used in an attack against Sony Pictures Entertainment. The Sony attack brought down corporate email for a week and also crippled a number of other systems at the company. It also received a lot of attention as it was the first reported attack of this type to take place on US soil.

The FBI concluded that the North Korean government was responsible for that attack.

More recently, attacks on various banks have displayed links to the Lazarus group.

Rare, but deadly

Attacks involving destructive malware are relatively rare, and generally highly targeted, but they can be devastating for an organization when they do take place.

Organizations should always ensure they have good security products in place, and that their employees are aware of the dangers of opening unsolicited emails and using external drives on network-linked computers.

Check out the Security Response blog and follow Threat Intel on Twitter to keep up-to-date with the latest happenings in the world of threat intelligence and cybersecurity.

Like this story? Recommend it by hitting the heart button so others on Medium see it, and follow Threat Intel on Medium for more great content.

One clap, two clap, three clap, forty?

By clapping more or less, you can signal to us which stories really stand out.