Campaigns
HWiper/Lotus Wiper Campaign - Venezuela PDVSA Attack

HWiper/Lotus Wiper Campaign - Venezuela PDVSA Attack

HWiperLotus WiperPDVSAVenezuelawiper malwaredestructive attackcritical infrastructureoil industrystate-sponsoreddata destructiongeopolitical targeting
A destructive wiper malware campaign targeting Venezuela's state-owned petroleum company (PDVSA) is attributed to state-sponsored threat actors. The campaign deployed Lotus Wiper (also known as HWiper) to destroy data across critical oil industry infrastructure, representing a significant escalation in destructive cyber operations targeting Latin American critical infrastructure. The attack resulted in widespread operational disruptions and forced PDVSA to operate critical functions via WhatsApp and manual processes.

Indicators of Compromise

No domains found for this campaign

Campaign Guidance

Remediation, mitigation, notes, history and related intelligence

Critical Recovery Steps for PDVSA-Type Incidents:

  1. Immediate Containment — Isolate affected systems from network immediately. Disconnect backup systems and air-gapped recovery infrastructure from all networks for 72+ hours to prevent wiper propagation.

  2. Forensic Preservation — Preserve storage media and system memory for post-incident analysis before attempting recovery. Document timeline of indicators for attribution and response.

  3. Restore From Clean Backups — Activate offline backup recovery procedures. Verify backup integrity and absence of malware before restoring to production. Implement staged restore with monitoring for re-infection attempts.

  4. Infrastructure Hardening — Implement network segmentation separating operational technology (OT) from IT infrastructure. Deploy air-gapped backup systems with read-only access. Restrict administrative credentials distribution.

  5. Communication Restoration — Establish alternative communication channels independent of compromised systems. Implement manual verification procedures for critical operational commands to prevent command injection attacks during recovery.

DETECTIONS
Technique ID Technique Name Tactic Detection Method Log Sources
T1485 Data Destruction Impact Monitor for bulk file deletion operations and suspicious mass file modifications. Alert on unusual I/O patterns targeting system-critical directories. Detect anomalous storage sector writes on unpartitioned disk areas indicative of low-level wipe operations. Sysmon EID 23/26, EDR file system telemetry, storage controller logs, SCSI command monitoring
T1486 Data Encrypted for Impact Impact Detect unusual cryptographic operations and mass file encryption patterns. Monitor for processes accessing encryption APIs or performing bulk file transformations with suspicious parent processes. Alert on file extensions changing to unrecognized patterns. Windows Crypto API telemetry, Sysmon EID 1/10, EDR process execution logs, File Integrity Monitoring alerts
T1561 Disk Wipe Impact Monitor for direct disk I/O operations and raw partition access attempts. Alert on suspicious IOCTL calls to storage devices. Detect attempts to bypass file system abstraction layers. Use firmware-level monitoring to detect direct media writes. Sysmon EID 25, EDR kernel telemetry, storage device firmware logs, IOCTL monitoring tools
T1561.001 Disk Wipe: Disk Content Wipe Impact Alert on suspicious process privilege escalation followed by disk I/O operations. Monitor for zerofill or pattern-write operations on entire volumes. Detect anomalous Master Boot Record (MBR) or partition table modifications. BIOS/firmware logs, storage controller telemetry, Sysmon privileged I/O operations, EDR behavioral analysis
T1561.002 Disk Wipe: Disk Structure Wipe Impact Detect partition table modifications and filesystem header corruption patterns. Monitor for firmware-level write operations bypassing OS protection. Use RAID controller logs to identify mirror/parity destruction sequences. RAID controller logs, storage firmware audit logs, partition change monitoring, BitLocker/encryption key destruction alerts
T1490 Inhibit System Recovery Impact Monitor for deletion or corruption of backup catalogs, recovery partitions, and Shadow Copy volumes. Alert on VSS (Volume Shadow Copy Service) disablement or snapshot deletion. Detect modifications to recovery boot options. System event logs EID 7030/7031, Sysmon registry modifications, VSS listener logs, WMI operation logs
T1531 Account Access Removal Impact Alert on bulk user account lockouts or credential removals by non-authorized processes. Monitor for Active Directory account deletions or password resets by unusual accounts. Detect lockout of service accounts preventing legitimate operations. Active Directory audit logs, Sysmon EID 13 (registry modifications), SAM database changes, login failure spike alerts
T1570 Lateral Tool Transfer Lateral Movement Monitor for SMB file transfers and suspicious file copy operations between systems. Detect wiper payloads being staged on multiple systems before simultaneous execution. Alert on encoded executable transfers over network shares. Sysmon EID 11/17, SMB transfer logs, network file transfer monitoring, DLP solution logs, NetFlow analysis
T1021.001 Remote Services: Remote Desktop Protocol Lateral Movement Alert on unusual RDP connections from non-standard source IPs or during off-hours. Monitor for credential spray attacks on RDP. Detect RDP access by unexpected service accounts or unusual connection patterns indicative of lateral movement. Windows Security logs EID 4624/4625, RDP connection logs, network IDS alerts, process execution from RDP sessions
T1021.004 Remote Services: SSH Lateral Movement Monitor SSH authentication logs for brute-force attempts or successful logins from unexpected sources. Alert on SSH key additions to critical accounts. Detect SSH connections with suspicious command execution patterns indicative of lateral movement to OT systems. auth.log, secure log, syslog entries, SSH server audit logs, command history, network IDS/IPS alerts
T1078 Valid Accounts Defense Evasion / Persistence / Privilege Escalation / Initial Access Monitor for anomalous login patterns using valid but unusual accounts. Alert on credential use from geographically impossible locations within minutes. Detect valid account usage outside normal business hours with destructive command execution. Active Directory logs, system authentication logs EID 4624/4625, SIEM correlation rules, geographical anomaly detection
T1078.003 Valid Accounts

Observed Countries1

VE (656)