
HWiper/Lotus Wiper Campaign - Venezuela PDVSA Attack
Indicators of Compromise
No domains found for this campaign
Campaign Guidance
Remediation, mitigation, notes, history and related intelligence
Critical Recovery Steps for PDVSA-Type Incidents:
Immediate Containment — Isolate affected systems from network immediately. Disconnect backup systems and air-gapped recovery infrastructure from all networks for 72+ hours to prevent wiper propagation.
Forensic Preservation — Preserve storage media and system memory for post-incident analysis before attempting recovery. Document timeline of indicators for attribution and response.
Restore From Clean Backups — Activate offline backup recovery procedures. Verify backup integrity and absence of malware before restoring to production. Implement staged restore with monitoring for re-infection attempts.
Infrastructure Hardening — Implement network segmentation separating operational technology (OT) from IT infrastructure. Deploy air-gapped backup systems with read-only access. Restrict administrative credentials distribution.
Communication Restoration — Establish alternative communication channels independent of compromised systems. Implement manual verification procedures for critical operational commands to prevent command injection attacks during recovery.
| Technique ID | Technique Name | Tactic | Detection Method | Log Sources |
|---|---|---|---|---|
| T1485 | Data Destruction | Impact | Monitor for bulk file deletion operations and suspicious mass file modifications. Alert on unusual I/O patterns targeting system-critical directories. Detect anomalous storage sector writes on unpartitioned disk areas indicative of low-level wipe operations. | Sysmon EID 23/26, EDR file system telemetry, storage controller logs, SCSI command monitoring |
| T1486 | Data Encrypted for Impact | Impact | Detect unusual cryptographic operations and mass file encryption patterns. Monitor for processes accessing encryption APIs or performing bulk file transformations with suspicious parent processes. Alert on file extensions changing to unrecognized patterns. | Windows Crypto API telemetry, Sysmon EID 1/10, EDR process execution logs, File Integrity Monitoring alerts |
| T1561 | Disk Wipe | Impact | Monitor for direct disk I/O operations and raw partition access attempts. Alert on suspicious IOCTL calls to storage devices. Detect attempts to bypass file system abstraction layers. Use firmware-level monitoring to detect direct media writes. | Sysmon EID 25, EDR kernel telemetry, storage device firmware logs, IOCTL monitoring tools |
| T1561.001 | Disk Wipe: Disk Content Wipe | Impact | Alert on suspicious process privilege escalation followed by disk I/O operations. Monitor for zerofill or pattern-write operations on entire volumes. Detect anomalous Master Boot Record (MBR) or partition table modifications. | BIOS/firmware logs, storage controller telemetry, Sysmon privileged I/O operations, EDR behavioral analysis |
| T1561.002 | Disk Wipe: Disk Structure Wipe | Impact | Detect partition table modifications and filesystem header corruption patterns. Monitor for firmware-level write operations bypassing OS protection. Use RAID controller logs to identify mirror/parity destruction sequences. | RAID controller logs, storage firmware audit logs, partition change monitoring, BitLocker/encryption key destruction alerts |
| T1490 | Inhibit System Recovery | Impact | Monitor for deletion or corruption of backup catalogs, recovery partitions, and Shadow Copy volumes. Alert on VSS (Volume Shadow Copy Service) disablement or snapshot deletion. Detect modifications to recovery boot options. | System event logs EID 7030/7031, Sysmon registry modifications, VSS listener logs, WMI operation logs |
| T1531 | Account Access Removal | Impact | Alert on bulk user account lockouts or credential removals by non-authorized processes. Monitor for Active Directory account deletions or password resets by unusual accounts. Detect lockout of service accounts preventing legitimate operations. | Active Directory audit logs, Sysmon EID 13 (registry modifications), SAM database changes, login failure spike alerts |
| T1570 | Lateral Tool Transfer | Lateral Movement | Monitor for SMB file transfers and suspicious file copy operations between systems. Detect wiper payloads being staged on multiple systems before simultaneous execution. Alert on encoded executable transfers over network shares. | Sysmon EID 11/17, SMB transfer logs, network file transfer monitoring, DLP solution logs, NetFlow analysis |
| T1021.001 | Remote Services: Remote Desktop Protocol | Lateral Movement | Alert on unusual RDP connections from non-standard source IPs or during off-hours. Monitor for credential spray attacks on RDP. Detect RDP access by unexpected service accounts or unusual connection patterns indicative of lateral movement. | Windows Security logs EID 4624/4625, RDP connection logs, network IDS alerts, process execution from RDP sessions |
| T1021.004 | Remote Services: SSH | Lateral Movement | Monitor SSH authentication logs for brute-force attempts or successful logins from unexpected sources. Alert on SSH key additions to critical accounts. Detect SSH connections with suspicious command execution patterns indicative of lateral movement to OT systems. | auth.log, secure log, syslog entries, SSH server audit logs, command history, network IDS/IPS alerts |
| T1078 | Valid Accounts | Defense Evasion / Persistence / Privilege Escalation / Initial Access | Monitor for anomalous login patterns using valid but unusual accounts. Alert on credential use from geographically impossible locations within minutes. Detect valid account usage outside normal business hours with destructive command execution. | Active Directory logs, system authentication logs EID 4624/4625, SIEM correlation rules, geographical anomaly detection |
| T1078.003 | Valid Accounts |