MITRE ATT&CK™

MITRE ATT&CK: Disk structure wipe

Greg Belding
January 22, 2020 by
Greg Belding

Introduction 

Denying the availability of systems and resources of an attack target is a main objective of many real-world attack campaigns. If you were going to disrupt a target, this denial of availability is probably the only part of the attack that will affect the day-to-day activity of a target endpoint’s user. 

Since integrity and availability of disks are as serious today as they were decades ago, the disk structure wipe attack technique is an old favorite of hackers and attack campaigns. 

This article will explore the disk structure wipe, as detailed in the MITRE ATT&CK Matrix. We’ll look at the MITRE ATT&CK, the disk structure wipe, how it works and some real-world examples of the attack technique in use, as well as mitigation and detection considerations. 


What is MITRE ATT&CK?

MITRE is a not-for-profit corporation dedicated to solving problems for a safer world. Beginning as a systems engineering company in 1958, MITRE has added new technical and organization capabilities to its knowledge base — including cybersecurity.

To this end, MITRE released the MITRE ATT&CK list as a globally accessible knowledge base of adversary techniques and tactics based on real-world observations. This information can then be used as the basis for the foundation of the development of threat models and methodologies for cybersecurity product/service community, the private sector and government use. 

More information on the MITRE ATT&CK matrix can be found here.

What is a disk structure wipe?

Denial of availability is an attractive attack option because of the devastation it leaves in its wake. The disk structure wipe attack technique is where attackers wipe or corrupt disk structures on a targeted system’s hard drive. These structures include those necessary to boot systems, including the technique’s favorite targets — the Master Boot Record (MBR) and partition tables. Other targets include specific critical systems and endpoint systems in large numbers to maximize the attack’s malicious effect. 

This technique sometimes uses malware that exhibits worm-like features which can amplify its reach.

A little about how disk structure wipe works

This attack works by using different malware and malware families to either wipe or corrupt hard disk structures that house critical data. MBR and partition tables are typical targets but any disk structure containing critical data is at risk. 

This data contains executable code for the initial loading of an operating system (OS) and file system partitions necessary for the system to function properly. Sometimes attackers opt to use legitimate drivers, including RawDisk, to perform raw disk modifications instead of traditional malware. Without the availability of this information, a system would simply not boot up when the endpoint user sits down at their desk to begin their day.

Attackers use different methods to amplify this attack technique. Malware with wormlike capabilities may be used to maximize attack technique reach, and disk structure wipe may be used in tandem with disk content wipe to maximize the attack’s destructive potential.

Real-world examples of disk structure wipe

This attack technique is incorporated into different attack campaigns, normally performed with malware called wipers. It should be noted that the disk structure wipe attack is used more often than disk content wipe; but when used in combination, the impact of this attack technique is amplified.

Lazarus Group

This North Korea-based attack group uses specialized malware to perform disk structure wipe attacks. Lazarus Group has been known to use this attack technique with different malware since about 2009. In 2014, this attack group used the name Guardians of Peace (GOP) to cripple Sony Pictures Entertainment’s systems for days. 

One instance of malware that Lazarus Group uses is called SHARPKNOT. It is known to overwrite and delete the MBR on targeted systems.

Note that sometimes the “Lazarus Group” name is attributed to any malicious hacking activity originating in North Korea. This assumption is not entirely accurate because there are threat groups independent of each other operating in North Korea. As such, these different groups will be treated as independent of each other.

APT38

APT38 is another threat group based in North Korea. It has been known to use an MBR wiper called BOOTWRECK to make systems unusable, which is the ultimate goal of this attack technique. 

Shamoon

Shamoon is a type of wiper malware used by an Iranian threat group sometimes known as Cutting Sword of Justice and sometimes simply known as Shamoon. This malware has been observed overwriting critical disk structure features, including MBR. As a threat group, Shamoon has been known to incorporate RawDisk into their attack campaign to wipe disks as well. 

Mitigation

MITRE suggests mitigating this attack technique with a solid IT disaster recovery plan. This plan should contain data backup procedures for regular backups for restoration of organizational information if disk structure wipe attacks overwrite or delete information. These backups should be stored offsite, with security measures taken to prevent attackers from accessing and destroying them.

Detection

Attempts to read/write to critical disk locations may be a sign of this attack technique. Keep a particularly keen eye on the MBR and disk partition table. Monitoring for unusual driver installation activity, especially kernel driver, is also a recommended way to detect a disk structure wipe.

Conclusion

The disk structure wipe attack technique detailed in the MITRE ATT&CK Matrix is a particularly malicious attack as it can render a system completely inoperable, resulting in a loss of resource availability and time taken for recovery. Attackers typically use malware to perform this task, but non-malware such as legitimate drivers has been used. 

By following the mitigation and detection techniques explored above, you can go the extra mile to protect yourself from the disk structure wipe attack technique.

 

Sources

  1. Disk Structure Wipe, MITRE 
  2. The Shamoon Attacks, Symantec
  3. APT38: Un-usual Suspects, FireEye
  4. Lazarus Group, MITRE
Greg Belding
Greg Belding

Greg is a Veteran IT Professional working in the Healthcare field. He enjoys Information Security, creating Information Defensive Strategy, and writing – both as a Cybersecurity Blogger as well as for fun.