I feel dumb not knowing what a "Wiper" is, especially with that headline and the odd writing style of the article (the term "epic troll" gets thrown around a lot and is not what I'd expect to come from a security research org). It turns out to be what it sounds like:
> A wiper is a class of malware whose intention is to wipe the hard drive of the computer it infects.
I've never heard the term before either. At first I was wondering how a viper snake had performed an epic troll on the Iranian train system... and then I re-read and pictured a windshield-wiper. I couldn't figure out the real meaning before clicking the link.
I am on your side when it comes to infosec naming things, for short history there has been some big attacks by Wiper type malware in the past most notably TV5, South Korea (Winter Olympics 2018),SONY, ARAMCO 2017 there's also some samples currently targeting the Tokyo Olympics
In 2011 the Iranian oil industry was hit with the Flame malware (they didn't know this at the time), which bulk erased drives of servers and workstations. Due to poor translations it was reported in western media as "Wiper" or "Viper," after the "drive wiping" functionality.
A year later when Saudi Aramco had the drives of tens of thousands of machines wiped (likely by Iran), the press assumed it was related or the work of the same group and also called it "Wiper."
Now it is a generic term for any malware that erases drives, often in a coordinated attack.
Viper/Wiper was the punchline for an animated TV miniseries/sequence of GI Joe.
(For non-USians: GI Joe was a US weekday after-school TV militainment and merchandizing franchise targeted at children. Which, from the perspective of an adult who grew up watching that as a kid, feels fascinating.)
If you could hack the physical wipers to make them troll the head of the government, that would be pretty epic. If nothing else, I'd like to see both the attack chain and the method to use the wipers to troll someone.
In this malware, they go to great lengths to wipe and encrypt all kinds of different types of data... (The mbr, the boot.ini, the event log, the scheduled tasks, the attackers batch file, the user's documents). When the simple approach would just be to send a low level command to the disk to write zeros across the whole thing.
We can't get chips in anything resembling reasonable quantity.
Computer security is a joke. The hardware and software is too complex to analyze, too complex to reason about, too complex to secure even if you could. All you can do now is wait for either attackers or researchers to find a hole, patch it, and hope the patch works (see "Windows Print Spooler" for how that sometimes doesn't work).
And the concept of "Hey, maybe we can do things without x86 processors running Windows" is never discussed. Do train networks actually need full on Windows workstations, or can they work on things like microcontrollers? The conversation isn't even being had.
But we've got problems from complexity created to solve the problems from the previous wave of complexity, running on top of complex hardware that's trying desperately to be fast enough to run the ever-more-complex software that... largely does about the same things we did 20 years ago, just far less efficiently.
Not really. They run small embedded processors, but most IoT hardware is running a full Linux, for the sake of pushing a bit of data to some cloud server, and receiving responses.
Just because you can do it in Python running with a full Linux stack behind things doesn't mean you should.
A lot of that sort of stuff can be done with a far smaller microcontroller, preferably Harvard architecture, with a memory safe language - I'm not exceedingly familiar with it, but Rust shows a lot of promise for this type of work. Very, very limited functionality, and the minimum amount of hardware/software to make it work. Aggressive code reviews, fuzzing, etc, before deployment.
It's literally the opposite of how most "things" are deployed, but it reduces the attack surface rather significantly. It does make updates harder, depending on how one implements it, but if it's properly done in the first place, this isn't a big problem. I absolutely despise the "Ship first, correct it later!" approach to software that has taken over literally everything these days.
Yes. Great. Tesla was able to OTA update the brake controller for the Consumer Reports Model 3 and fix the braking - and nobody gets around to asking how on earth they shipped a near-production car to a review agency with broken brake control firmware in the first place. That's the sort of thing that should be tested, correct, and immutable after shipping. I'm not comfortable with trusting Silicon Valley companies to properly OTA update the brake firmware on my car, I'd rather it ship with working brakes that remain unchanged for the life of the vehicle.
I'm aware this is totally at odds with the modern software ecosystems, and that's entirely deliberate. I do not like what modern software has become.
To be fair, there's some nuance to be had here. OTA updates for cell phone firmware probably make a fair amount of sense. A mobile game shipping quickly and fixing things up later is likely financially favorable and it's not as though I can't find something else to do with my time if the devs inadvertently break it.
OTA updates for brake control firmware, however, is an absolutely terrifying reality that should probably be made outright illegal in the first place. It creates a centralized attack vector of alarming scope that would never have existed otherwise.
I get it, there's a CAN bus and diagnostics and now it's all hooked up to the mobile network for data collection and analysis purposes. That doesn't justify any of the essential systems attached to the bus being able to receive data though. Outside of direct physical access (ie plugging in a cable), safety critical systems should be broadcast only unless an incredibly compelling reason exists to do otherwise.
That, and you just didn't just go to a system that's hard to attack, but also hard to develop for.
Can you write software for that microcontroller in C? Sure, although you'd probably prefer Rust.
Now if you managed to find someone with a low salary who'd put up with writing screen software for a train, try telling them there's not just no Java, but no Heap and that they'd have to connect to the GPS chip via serial instead of having OS managed location. And then they'd have to integrate the streaming MP4 video for the advertisements on their own, without a filesystem or FFMPEG.
Haha, not gonna fly. No product manager in their right mind would greenlight that effort for "security reasons" if it suddenly takes 100x the amount of effort then.
We're using operation systems for the features they provide and the ease of development (as well as debugging) they enable, that's the answer.
You make good points. A reasonable path forward would be developing single purpose devices, with software written in safe languages like Rust and Swift (and OCaml, Haskell, etc. ?)
Simpler processors, simpler designs, secure small operating systems.
Before the 9/11 wrong turn our government made, the NSA did a lot of public good work hardening Linux, worked with the FBI to go after international digital crime syndicates, etc. We lost our way, and we need to find it again.
To do all this we need to start with the educational system, making secure computing a big thing in the job market, so upstream, professors do the right research, and train students.
Hey if things ran efficiently and unecessary complexity was taboo then software developers, who manufacture a good that does not physically wear out with time, would be earning a lot less money. But as things are today you got to pay a web developer say $100k a year to implement the latest kalefedhipster.js framework that doesn't actually provide significant additional functionality beyond what we had in 2015 if not 2005.
I firmly believe that overgrown complexity is going to be one of the things that brings down the tech sphere if not civilization as a whole.
It seems things are breaking far more frequently already.
Even things like retail transactions are falling appart. Whereas 10-15 years ago you could go into walmart and grab something check out within 5 minutes. Now you can't. Of the twenty lanes only 4-5 are open at anytime. If you buy a refillable phone card the cashier does not know how to recharge it.
If you try self checkout all 10 systems are rebooting after an upgrade.
You insert your poorly engineered sim inspired "chip card." It fails three times, every time then you swipe. Meanwhile if you go on vacation 150 miles away and use your card, you card automatically locks because of a "suspcious transaction." Since it is Sunday your bank is not open but you can call tech support in India who after having you wait on hold for an hour transfers you to a different agent who you have to repeat the whole story to.
Etc, etc, etc. It seems like simple things are getting more complicated every year, because new is good or new is safer or new is easier to track
you with.
> to implement the latest kalefedhipster.js framework that doesn't actually provide significant additional functionality beyond what we had in 2015 if not 2005.
I mean, if we only had plain old HTML for websites, all these people writing web applications would just be writing desktop applications. The complexity of the problems being solved wouldn't change, and it would basically be the same hell of large projects being done by large teams with little in the way of planning.
The main difference would be that nothing would run on OS X or Linux, because it would be too costly to support. Microsoft would have 99.9% of the OS market, and it would cost $300 a month to have a license. (Remember when you couldn't do online banking on Linux because they all used ActiveX? I remember.)
Basically, the field of software engineering wouldn't be any different. There would be different winners and we probably wouldn't have phones. But you'd still be using slow, confusing, crappy UIs, because that is the human condition. The programming language / platform wouldn't change any of that.
> all these people writing web applications would just be writing desktop applications
Good.
> The complexity of the problems being solved wouldn't change, and it would basically be the same hell of large projects being done by large teams with little in the way of planning.
That's a non sequitur... The complexity largely hasn't changed, it's been hidden by layers upon layers of libraries that aren't fully understood by the people building with them, even within the same company who built the library, and increasing levels of bloat. If it weren't for the never-ending pace of "marketing says we need a new UI" bugs might actually get fixed once in a while.
Imagine if people went from "we need shared libraries for disk and memory efficiency" to "we need completely separate environments for every module of our program" in 20 years. Oh wait, that happened.
There are plenty of non-web desktop apps that also never release any features, and whose engineers use the time saved from not dealing with "npm has found 600 security vulnerabilities that you can't update" to migrate their build system from Makefiles to Bazel or whatever. It's all the same -- the human race as a whole doesn't know how to deliver features with high velocity beyond a certain scale.
The proprietary desktop apps I use basically get updated every few months with what seems like about a day's worth of work for one engineer. (I use Fusion 360, which might actually be a web app in desktop clothing, Datagrip, and Simplify3D. Fusion 360 adds features and fixes bugs occasionally, but mostly each update tightens the screws on what features are available on your current payment plan. Simplify3D seems totally dead, I'd be surprised if they have any employees. Datagrip has a few updates a year, and they are things like "we fixed a bug when talking to some database you've never heard of via two tin cans connected with a piece of string". If you don't like a piece of software as it is right now, definitely never buy it. I do like all of those things, but they have definitely not discovered some sort of toolchain-based productivity miracle.)
I recommend the movie "The Operative" -- its a good movie about the Mossad specifically infiltrating an Iranian electronic companies networks, selling them compromised chips, and enforcing the chip sanctions against Iran.
It does not have a "political message" -- its just a good spy movie.
As soon as a system becomes a target, it doesn't matter if it's an entirely bespoke system that only runs on Iranian trains. You might avoid being accidentally targeted by automated exploits, but that doesn't mean your system is secure or secure enough to avoid something like this.
That depends heavily on your threat model and who is out to bother you.
I agree that you can't make something custom totally secure - but you can radically reduce the number of people capable of attacking it, and increase the costs of attacking it.
If you're running Windows with Active Directory, the number of people who can attack your network at some level is "Pretty much anyone who cares to learn a bit about hacking." They may not be successful, but if they happen to get lucky around the time some new 0day drops, welp. Timmy Two Thumbs just pwned you.
The more custom your environment in terms of hardware and software, the higher the development costs, certainly, but also the fewer people who can attack you. If you've got a custom limited function OS, no generic hacking tools are going to work on it, so now your attacker scope is things like "Governments who can get a copy of it and are willing to invest the money to reverse engineer it and find vulnerabilities." Which, if you're worried about governments, is certainly a risk - but at that point, the chances of some random ransomware gang taking you down are near-zero, because they don't care about you - they care about easy targets who are likely to pay. Custom reverse engineering isn't really their thing.
There's no such thing as a system secure against everyone - but you can make it a lot harder to randomly target. And, if you're talking about a train system, there comes some point when it's easier to just go blow up the locomotives than to wage a cyber attack. Easier to trace, certainly, and riskier, but that's the point. If you can force an attacker to either expend disproportionate resources, or require them to go down riskier attack paths, you may be able to deter the attack.
You can also ask some reasonable questions about the concept of field upgradeable firmware on critical safety systems. There was some set of malware a while back that targeted some sort of industrial control system, and seemed designed to bypass the safety release valves through a remote firmware update. If you have a safety valve set to pop at 300 psig, why does that need remote firmware updates? It should be set to monitor the pressure sensor, pop the valve and report at 300psig. Allowing someone on the network to remotely update the firmware on the safety system seems entirely silly, because presumably if you actually needed to do that, you'd have been doing some piping upgrades that would make it easy enough to go get the unit, physically touch it to twiddle the write lock, and upgrade it.
I'm not sure what 'all consuming' would mean exactly. But excess complexity might also indicate fragility, in which case breaking an entire system/subsystem might come fairly easily
That's an apt analogy. It makes one wonder how many of these ransomware organizations are connected to their respective local governments, ready to be put to work should an open conflict arise.
It also makes one laugh at what we have been calling internet "piracy" to date. Individuals copying, cracking, and distributing software bears almost no resemblance to organized "crews" deploying professionally written malware ("ships") for monetary gain in ways that can harm hundreds or thousands of innocent bystanders in the process.
That is, to a certain extent, how the Russian hacking ecosystem works. From a wide pool of domestic criminals targeting domestic targets, some of them attack countries Russia is having problems with, in the knowledge that they won't be prosecuted for that.
I'd say this is a throwback to the 90s when cybercrime was more about satisfying personal curiosities and convictions (however misguided they might have been) rather than demanding ransom from hospitals and school districts.
I've never heard the term "wiper", and thought at first that some hackers had made all the train windshield wipers go haywire, stopping rail transport as a result.
Did I miss something? Was this terror? Were people injured or killed and hence fearful?
Politically motivated sabotage seems like a more accurate description with the footnote that computers were used (cyber!). But I guess people have been using "terrorist" to mean anything the government doesn't like. So it's fair to keep using it for a foreign government that also may not be liked itself. I'm sure some consider opposition to the Iranian regime just and noble, which I guess I do on some level suitably restrained. Much as I do for opposition to my own government. Would Ghandi be a terrorist under the modern definition for his campaigns of civil disobedience sabotaging the system?
Two ship crewmen, a British and Romanian national, died in Thursday night’s attack off the coast of Oman on the oil tanker Mercer Street, a ship operated by Zodiac Maritime, a London-based company belonging to Israeli tycoon Eyal Ofer.
Israeli and American officials have said it was apparently carried out by suicide drones that hit the ship.
The report further said Iran was also hoping to raise insurance costs for ships with ties to Israel.
"The report further said Iran was also hoping to raise insurance costs for ships with ties to Israel."
that is scary smart in our current World... we will definitely see these kinds of attacks more often I think.
Imagine what a modern super-corporation with funds like Apple could do.
Please stop diluting the definition of terrorism. It is only terrorism if someone is creating fear to push a political agenda. Most of these are simply ransom companies with no agenda other than making themselves money.
This attack could be considered terrorism, but not the pipeline attack. Terrorism is the act or threat of violence to further political goals. There was nothing political about the pipeline attacks, it was just a ransomware company looking for a payout.
I agree, not sure why you're downvoted.
Ironically enough the most famous sponsored attack on infra with the actual goal of damaging infrastructure was Stuxnet a joint Israel/American op
It was remarkable how quickly U.S. media accepted the "it wasn't terrorism" line after years of going on about how the Russians are the most comically evil superterrorist masterminds who are destroying the fabric of blah blah.
I mean, it can both be true that it wasn't terrorism, and that the mainstream media was wrong by blaming everything on russian superterrorist masterminds. We both know that media narratives don't have to be fully cromulent.
I personally don't care whether it was or wasn't terrorism. Either way, you and I are never going to know (barring a Russian whistleblower). I was just commenting on the bizarre and coordinated behavior of the U.S. media.
See also the Notre Dame fire in 2019. Immediately the media "decided" that it was a simple accident rather than arson or even something else like a small meteorite that could have been easily lost in the wreckage.
My understanding of the sanctions regime is that it's not legal to sell software to Iran, so how do they get Microsoft Windows in the first place? Is the country running on pirated software?
Well yes actually, it's pretty common I've worked on government systems (not Iran but close and not embargoed) that uses pirated Windows, Office Suite.
Why would anyone design an attack with a whole load of human readable batch filed when they could make the whole thing a single .exe file?
It smells to me like the architect of the design wasn't a strong programmer, so got teams to develop the components as seperate programs and then assembled them himself with batch scripts and self extracting rar files.
I would have done the same when I was 13 years old and new to programming.
Also strange not to mention potential state actor. Each time an attack in carried on US targets there is a premade list of countries from which it supposedly come, and here nothing.
Trolling Khamenei with this reminded me how in "The Moon Is a Harsh Mistress" the resistance was trolling the Warden (who represented the oppressive Authority on Luna) using the central computer (Mike) with rogue calls, making him lose sleep.
> A wiper is a class of malware whose intention is to wipe the hard drive of the computer it infects.
https://en.wikipedia.org/wiki/Wiper_(malware)