The past six years have seen the increased use by threat actors of destructive TTPs as a means to achieve their strategic and political objectives. Admittedly, the incidence has been relatively limited owing to the risk of reprisals, but it is important that we understand the motivation behind such attacks as well as having a knowledge of their modi operandi.
Deploying various malware to delete critical system files, erase volumes of data and damage systems themselves, is typically a tactic used to make a point to further political ideologies – either in reprisal for an actual or perceived hostile action, or as an act of pure posturing.
The same motive can sometimes be attributed to the use of physically destructive malware, but just as commonplace a motive for this is sabotage, with anything from financial powerhouses to CNI being taken over or taken down. Traditionally, state-sponsored attackers have had the intention to inflict damage on specific target. However, EternalPetya and WannaCry demonstrated how such groups can deploy ransomware to conduct destructive attacks against a broader audience across borders.
Threat actors are increasingly leveraging data destruction as an anti-forensic technique in their campaigns to cover their tracks during operations and hinder forensic investigations into the source and extent of attacks. For example, FireEye has investigated ransomware campaigns that were not correctly configured to decrypt victim data, even after a ransom was paid by the victim. Some ransomware campaigns also either lack the ability to collect payments, or use payment systems inappropriate to the scale of the campaign. Rather than being financially-motivated (or unprofessionally executed), these types of attacks are deployed purely to render the target’s data unusable.
Example: North Korean threat actor APT38 – profiled in this issue of The Vision – is does not hesitate to eliminate evidence or victim networks during operations. The group leverages DYEPACK malware, which has the ability to delete itself and can be configured to self-destruct at a specific time. APT38 has also employed CLEANTOAD and CLOSESHAVE tools that are configured to clean up after other malware leveraged during an incident. It also uses measures such as multiple code packing and encrypting files on the system and in the registry to evade anti-virus and thwart forensic investigations.