Blog

Void Manticore Combines Data Theft And Destructive Wiper Malware In Cyber War Campaigns

While hackers are sometimes portrayed as somewhat normal individuals seeking infamy by outsmarting phone companies such as in the movie Hackers, the truth is most cyberattacks are financially motivated. Ransomware gangs extort their victims into paying to regain access to encrypted files, stop DoS attacks crippling the victim's infrastructure, or to avoid public disclosure of sensitive information. Various combinations of these threats are known as double-extortion and triple extortion ransomware attacks. 

However, there is another core motivation that should not be ignored; pure malice. Destruction of the victim at the hands of their political or ideological adversary has motivated attacks against critical infrastructure and data wiping attacks that destroy files rather than attempting to ransom them for financial gain.  These attacks are strategically designed to leave the victim with no way out. 

In this article we will introduce the threat actors known as Void Manticore, a Iranian-backed Advanced Persistent Threat (APT) group attributed with increased activity in 2024 to distributing wiper malware. Then we will also cover the worst strains of wiper malware in history.

Who is Void Manticore?

Void Manticore (aka Storm-842) is an Iranian state-sponsored threat actor affiliated with Iran’s Ministry of Intelligence and Security (MOIS) and is perhaps the most significant actor within Iran’s cyber warfare landscape. Since October 2023, the group has been targeting Israeli organizations, often under the online persona "Karma", but their operations extend beyond Israel, affecting countries such as Albania, where the group uses the persona "Homeland Justice" to leak stolen data. In total, over 40 Israeli organizations have been targeted by Void Manticore.

Void Manticore's tactics focus on destructive wiping attacks, relying on publicly available hacking tools and custom wipers like the BiBi wiper for both Windows and Linux environments. Void Manticore gains initial access through a variety of methods including exploiting vulnerabilities in systems (especially Remote Desktop Protocol), spear-phishing campaigns, credential theft, and using publicly available hacking tools like Mimikatz. 

Their typical tactics also involve lateral movement by using stolen credentials and exploiting internal network services, followed by the deployment of wiper malware. Their signature wiper strain BiBi wiper, named after Israeli Prime Minister Benjamin Netanyahu. The group’s operations have also involved coordination with another Iranian threat actor, Scarred Manticore (aka Storm-861), suggesting organized handoffs of victims between the two groups to maximize the impact of their campaigns. 

The History of Wiper Malware

Wiper malware is a destructive type of malware designed to erase or corrupt data on infected systems, rendering them unusable. Its history dates back to 2012 when "Shamoon" was deployed against Saudi Aramco, causing massive data loss by wiping hard drives. This incident marked the first major public use of wiper malware. In 2017, another significant attack, "NotPetya," targeted Ukraine and spread globally, posing as ransomware but primarily functioning as a wiper, disrupting companies and critical infrastructure worldwide.

Why Do Threat Actors Deploy Wiper Malware?

Over the years, wiper malware has become a tool of choice for state-sponsored actors, often used in politically motivated attacks. Iranian, Russian, and North Korean groups have leveraged it in campaigns aimed at critical sectors. Modern examples, like Iran-linked Void Manticore's "BiBi" wiper, show its ongoing use in cyber warfare to cause operational disruption and deliver politically charged messages while inflicting maximum damage.

The Worst Strains of Wiper Malware

Here are some of the most well-known, historic, and prolific strains of wiper malware, along with their context, threat actors, and global impact:

Shamoon (DistTrack)

First discovered in 2012, Shamoon (also known as DistTrack) was used in a cyberattack against Saudi Aramco, one of the world's largest oil companies. A second wave of Shamoon attacks was observed in 2016. The attacks have been attributed to a group known as "Cutting Sword of Justice," which is believed to have ties to Iran.

The campaign affected approximately 30,000 computers, disrupting the company's operations. The 2016 wave targeted various organizations in the Middle East, continuing to highlight the threat posed by nation-state actors using wiper malware.

NotPetya

Initially discovered in June 2017, NotPetya masqueraded as ransomware but was, in reality, a wiper designed to inflict maximum damage. It spread through a software update mechanism for a Ukrainian tax preparation program. NotPetya has been attributed to the Russian military intelligence agency, GRU, specifically a group known as Sandworm.

The malware caused significant disruptions globally, with estimated damages exceeding $10 billion. It affected major corporations such as Maersk, FedEx, and Merck, highlighting the extensive economic and operational impact of wiper malware.

DarkSeoul

DarkSeoul is a wiper malware strain linked to North Korean cyber operations. First observed in 2013, it targeted South Korean banks and broadcasting systems, causing widespread disruptions in critical sectors. DarkSeoul launched highly destructive campaigns that affected tens of thousands of systems, erasing data and corrupting master boot records.

This malware demonstrated the power of nation-state-sponsored wiper attacks aimed at political and economic targets.

Chaos Malware Strain

The Chaos malware strain emerged in 2021, acting both as a ransomware and wiper hybrid. It encrypted files and then proceeded to wipe data, blending extortion and destruction into a single campaign.

This strain has been linked to attacks targeting critical infrastructure and organizations in Europe and Asia. Its ability to operate across multiple functions increased its threat potential, causing severe operational disruption for its victims.

CryWiper Malware Strain

CryWiper is a new destructive malware strain first observed in late 2022. It disguises itself as ransomware but functions solely to destroy data, rendering systems inoperable with no chance of recovery.

CryWiper has been deployed in politically motivated attacks, most notably targeting municipal services and financial sectors in Russia and neighboring states, inflicting long-term damage to victim organizations.

Conclusion

Void Manticore, an Iranian APT group, leverages wiper malware to target critical infrastructure and organizations globally. Known strains like Shamoon and NotPetya showcase the devastating impact of wiper attacks, which are used for both political disruption and maximum operational damage.

These malware variants erase data, leaving organizations unable to recover. Wiper malware continues to be a key weapon in state-sponsored cyber warfare, evolving in sophistication and destructiveness.

Would you like to learn more?

Download our buyer’s guide to learn everything you need to know to successfully plan, scope and execute your penetration testing projects

Featured Posts

See All

October 24 - Blog

Packetlabs at SecTor 2024

Packetlabs is thrilled to have been a part of SecTor 2024. Learn more about our top takeaway's from this year's Black Hat event.

September 27 - Blog

What is InfoStealer Malware and How Does It Work?

InfoStealer malware plays a key role in many cyber attacks, enabling extortion and lateral movement via stolen credentials. Learn the fundamentals about InfoStealers in this article.

September 26 - Blog

Blackwood APT Uses AiTM Attacks to Target Software Updates

Blackwood APT uses AiTM attacks that are set to target software updates. Is your organization prepared? Learn more in today's blog.