SOC Incident Toolkit
Back to Campaigns
HWiper/Lotus Wiper Campaign - Venezuela PDVSA Attack

HWiper/Lotus Wiper Campaign - Venezuela PDVSA Attack

HWiperLotus WiperPDVSAVenezuelawiper malwaredestructive attackcritical infrastructureoil industrystate-sponsoreddata destructiongeopolitical targeting

A destructive wiper malware campaign targeting Venezuela's state-owned petroleum company (PDVSA) is attributed to state-sponsored threat actors. The campaign deployed Lotus Wiper (also known as HWiper) to destroy data across critical oil industry infrastructure, representing a significant escalation in destructive cyber operations targeting Latin American critical infrastructure. The attack resulted in widespread operational disruptions and forced PDVSA to operate critical functions via WhatsApp and manual processes.

Indicators of Compromise

Hashes (3)

0b83ce69d16f5ecd00f4642deb3c5895b41d0cd22d5b3e3bdb795f81421a11cbc6d0f67db6a7dbf1f9394d98c1e13670

Notes

<div class="content-body"> <span class="content-title">CONCLUSION</span> <p class="content-description">This campaign represents a significant escalation in destructive cyber warfare targeting Latin American critical infrastructure. The operational impact forcing PDVSA to conduct critical petroleum operations via WhatsApp demonstrates the real-world consequences of wiper attacks on strategic national infrastructure. The geopolitical context surrounding US-Venezuela relations and international oil market dynamics suggests state-sponsored involvement with strategic objectives beyond simple financial gain.</p> <p class="content-description">The HWiper/Lotus Wiper campaign targeting PDVSA represents a watershed moment in destructive cyber operations against critical infrastructure. The attack demonstrably achieved operational disruption of an entire national petroleum industry, forcing manual operations and communication via commercial platforms — a direct and measurable impact on energy security affecting millions of citizens. Threat actors have demonstrated strategic patience, targeting specific critical infrastructure sectors with advanced wiper malware rather than indiscriminate ransomware campaigns. The campaign's attribution to state-sponsored actors reflects new doctrines in cyber warfare where destructive operations achieve geopolitical objectives without achieving financial gain. For organizations in critical infrastructure sectors — particularly energy, utilities, and strategic industries — this campaign validates the necessity for comprehensive offline backup strategies, network segmentation isolating OT systems, and specialized incident response plans for destructive malware. SOCRadar's IOC Radar should be leveraged to scan for HWiper/Lotus Wiper indicators across organizational infrastructure immediately, particularly systems with internet exposure. Cyber Threat Intelligence services provide essential early warning on state-sponsored campaigns targeting specific sectors before attacks occur. Dark Web Monitoring can identify targeted reconnaissance on Venezuelan oil companies weeks prior to destructive payloads. Attack Surface Management capabilities reveal exposed industrial control system interfaces and critical infrastructure exposed to the internet. The defensive imperative has shifted from breach prevention to rapid recovery — organizations must assume sophisticated adversaries will eventually penetrate defenses and focus on resilience, backup integrity, and operational continuity.</p> </div>

Mitigation

<div> <table> <thead> <tr> <th>Technique ID</th> <th>Technique Name</th> <th>Tactic</th> <th>Mitigation ID</th> <th>Description</th> </tr> </thead> <tbody> <tr> <td><a href="https://attack.mitre.org/techniques/T1485/">T1485</a></td> <td><a href="https://attack.mitre.org/techniques/T1485/">Data Destruction</a></td> <td><a href="https://attack.mitre.org/tactics/TA0040/">Impact</a></td> <td>M1053</td> <td>Data Backup and Recovery — Implement comprehensive and regularly tested backup strategies with offline, air-gapped backup repositories that cannot be accessed by compromised systems. Maintain multiple backup copies in geographically distributed locations with immutable storage capabilities.</td> </tr> <tr> <td><a href="https://attack.mitre.org/techniques/T1486/">T1486</a></td> <td><a href="https://attack.mitre.org/techniques/T1486/">Data Encrypted for Impact</a></td> <td><a href="https://attack.mitre.org/tactics/TA0040/">Impact</a></td> <td>M1053</td> <td>Data Backup and Recovery — Maintain encrypted, offline backups segregated from production networks with verified restore capabilities tested monthly. Store backups in physically isolated data centers with restricted access controls.</td> </tr> <tr> <td><a href="https://attack.mitre.org/techniques/T1561/">T1561</a></td> <td><a href="https://attack.mitre.org/techniques/T1561/">Disk Wipe</a></td> <td><a href="https://attack.mitre.org/tactics/TA0040/">Impact</a></td> <td>M1053</td> <td>Data Backup and Recovery — Deploy immutable backup solutions that cannot be deleted or overwritten by threat actors, even with administrative privileges. Implement write-once-read-many (WORM) storage systems.</td> </tr> <tr> <td><a href="https://attack.mitre.org/techniques/T1561/001/">T1561.001</a></td> <td><a href="https://attack.mitre.org/techniques/T1561/001/">Disk Wipe: Disk Content Wipe</a></td> <td><a href="https://attack.mitre.org/tactics/TA0040/">Impact</a></td> <td>M1052</td> <td>User Account Management — Restrict administrative privileges to users requiring them. Implement just-in-time (JIT) privilege escalation with auditing and approval workflows. Eliminate shared administrative accounts.</td> </tr> <tr> <td><a href="https://attack.mitre.org/techniques/T1561/002/">T1561.002</a></td> <td><a href="https://attack.mitre.org/techniques/T1561/002/">Disk Wipe: Disk Structure Wipe</a></td> <td><a href="https://attack.mitre.org/tactics/TA0040/">Impact</a></td> <td>M1047</td> <td>Audit — Enable BIOS/UEFI logging and integrity monitoring. Use Trusted Platform Module (TPM) to detect unauthorized firmware modifications. Monitor boot-level security controls.</td> </tr> <tr> <td><a href="https://attack.mitre.org/techniques/T1490/">T1490</a></td> <td><a href="https://attack.mitre.org/techniques/T1490/">Inhibit System Recovery</a></td> <td><a href="https://attack.mitre.org/tactics/TA0040/">Impact</a></td> <td>M1053</td> <td>Data Backup and Recovery — Protect backup systems with separate credentials and network segmentation. Ensure backups exist independent of primary infrastructure and cannot be accessed by compromised systems.</td> </tr> <tr> <td><a href="https://attack.mitre.org/techniques/T1531/">T1531</a></td> <td><a href="https://attack.mitre.org/techniques/T1531/">Account Access Removal</a></td> <td><a href="https://attack.mitre.org/tactics/TA0040/">Impact</a></td> <td>M1032</td> <td>Multi-factor Authentication — Implement strong MFA for all critical accounts and administrative access. Use hardware security keys resistant to phishing. Enforce conditional access policies.</td> </tr> <tr> <td><a href="https://attack.mitre.org/techniques/T1570/">T1570</a></td> <td><a href="https://attack.mitre.org/techniques/T1570/">Lateral Tool Transfer</a></td> <td><a href="https://attack.mitre.org/tactics/TA0008/">Lateral Movement</a></td> <td>M1037</td> <td>Filter Network Traffic — Use network segmentation and microsegmentation to restrict lateral movement. Deploy Data Loss Prevention (DLP) solutions to prevent unauthorized tool distribution across network boundaries.</td> </tr> <tr> <td><a href="https://attack.mitre.org/techniques/T1021/001/">T1021.001</a></td> <td><a href="https://attack.mitre.org/techniques/T1021/001/">Remote Services: Remote Desktop Protocol</a></td> <td><a href="https://attack.mitre.org/tactics/TA0008/">Lateral Movement</a></td> <td>M1035</td> <td>Limit Access to Resource Over Network — Disable RDP on systems where not required. Use network access controls and VPN requirements for RDP access. Implement IP whitelisting and port restrictions.</td> </tr> <tr> <td><a href="https://attack.mitre.org/techniques/T1021/004/">T1021.004</a></td> <td><a href="https://attack.mitre.org/techniques/T1021/004/">Remote Services: SSH</a></td> <td><a href="https://attack.mitre.org/tactics/TA0008/">Lateral Movement</a></td> <td>M1032</td> <td>Multi-factor Authentication — Enforce MFA for SSH access. Disable password-based SSH authentication in favor of key-based methods. Restrict SSH to admin accounts only.</td> </tr> <tr> <td><a href="https://attack.mitre.org/techniques/T1078/">T1078</a></td> <td><a href="https://attack.mitre.org/techniques/T1078/">Valid Accounts</a></td> <td><a href="https://attack.mitre.org/tactics/TA0005/">Defense Evasion / Persistence / Privilege Escalation / Initial Access</a></td> <td>M1027</td> <td>Password Policies — Enforce strong password policies with complexity requirements, regular rotations, and prohibition of credential reuse. Implement account lockout thresholds after failed login attempts.</td> </tr> <tr> <td><a href="https://attack.mitre.org/techniques/T1078/003/">T1078.003</a></td> <td><a href="https://attack.mitre.org/techniques/T1078/003/">Valid Accounts: Local Accounts</a></td> <td><a href="https://attack.mitre.org/tactics/TA0005/">Defense Evasion / Persistence / Privilege Escalation / Initial Access</a></td> <td>M1026</td> <td>Privileged Account Management — Audit and remove unnecessary local administrative accounts. Implement centralized identity management. Monitor for unauthorized account creation or privilege escalation.</td> </tr> <tr> <td><a href="https://attack.mitre.org/techniques/T1003/">T1003</a></td> <td><a href="https://attack.mitre.org/techniques/T1003/">OS Credential Dumping</a></td> <td><a href="https://attack.mitre.org/tactics/TA0006/">Credential Access</a></td> <td>M1027</td> <td>Password Policies — Enforce strong credential policies and implement LSASS protection mechanisms. Use Windows Defender Credential Guard to protect stored credentials from OS credential dumping attacks.</td> </tr> <tr> <td><a href="https://attack.mitre.org/techniques/T1598/">T1598</a></td> <td></td> <td></td> <td></td> <td></td> </tr> </tbody> </table> </div>