Welcome back to the Cyber Resilience Brief, a SafeBreach podcast. I’m Tova Dvorin, your host. And today, we’re doing something a little different in the SafeBreach studios. Isn’t that right, Adrian? That’s right, Tova. Today’s Sunday, February the eighth, twenty twenty six, and we’re bringing to you a very special bonus episode about an emerging threat whose story is very current and very unclear, the shadow over the grid. Right. Late January twenty twenty six brought us some chilling updates from Central Europe. We’re looking at a new destructive force hitting the Polish energy sector at the end of December twenty twenty five, starting on the twenty ninth of December. Adrian, you’ve been neck deep in the latest research. What are we actually looking at? So, Tova, we’re tracking a malware strain called DynoWiper. While the world has been focused on ransomware for years, DinoWiper reminds us that some nation state actors, for them, the goal isn’t money. It’s pure unadulterated disruption and destruction. Chaos for chaos sake. Doesn’t that sound like some of the calling cards of Crink? And so far, our research points to a very familiar hand behind the DynaWiper wheel. Exactly, Tov. The TCP’s tactics, techniques, and procedures point to two Russian groups. Analysis by Sert Polskaden, the National Computer Emergency Response Team for Poland, points towards a group referred to as Static Tundra, which is part of the Russian domestic security service, the FSB, you’ll all be familiar with. That’s center sixteen, unit sixteen. On the other hand, commercial research from the threat intelligence firm ESET points towards the Soviet military intelligence, GRU, unit seven double four double five, our old enemies, the sandworm team. This is a great example of how attribution of cyber attacks at the nation state level remains hard, and it’s not for the faint hearted. These IOCs and TTPs support both hypotheses, and it really highlights the need for corroborating intelligence from other sources. And those other sources are rarely ever available on a commercial level. And perhaps the truth is that the FSB acted as the initial access broker or IAB, which is a service they specialize in. And maybe then the GRU took over. I think that’s a currently very valid and very likely hypothesis. What’s fascinating here is how this has evolved. It’s effectively Dynawaiker, the successor to the Zov Wiper. Those of you who may not be aware, Zov is actually a name used by Russian military units. They market on their vehicles and it’s an aggressive name with all sorts of negative, horrible connotations. They have a wiper called Zov as well, which we saw tearing through the Ukraine last year, but now it’s across the border in the EU, specifically targeting Polish wind farms and combined heat and power plants often referred to as CHP. It’s funny. Reminds me just to talk about the why, but before that, let’s talk about the how. Usually, think of malware as something that phones home to a command and control server, but your research suggests the Dyno wiper is lean? Lean’s the perfect word, Topher. It doesn’t need a constant umbilical cord to the Internet. Sandworm and the FSB are already inside the network, often with its administrative credentials or control over a domain controller. They move laterally and drop the wiper internally. So it’s already in the house before the lights go out. Precisely. They’re using internal staging paths like double backslash domain controller sys fall or hiding in the C Windows temp folder, they’re even masquerading as legitimate updates. Look out for things like Java update or Java underscore update dot accept. Wow. That is so, so, so generic. And that means that it can hide in plain sight. What happens once it runs? It’s absolutely surgical, Tova. It it uses split logic approach for small files less than twelve bytes. It’s total overwrite. For larger files, it just shreds enough to make the system unbootable. It’s designed to kill a machine faster than Ardman can pull a plug. It even ignores the system thirty two file until the very last second, ensuring the wiper’s finished its job before wiping the system thirty two files to the OS crashes. It’s super fast. If the files as I mentioned before, if the files sixteen bytes or less, it just wipes it. If it’s larger, it mangles the file header. It then mangles the system thirty two file to prevent the operating system from loading. Right. Hence the term split logic. It’s a semi autonomous wiper, which operates differently based on file size. Exactly. It’s also been overwriting PLC controller firmware. Interestingly, it uses a pseudo random number generator for our mathematician listeners or even for our non mathematician listeners who are interested. It’s called a Mersenne Twister, specifically mathematically, it’s designated as MT nineteen thousand nine thirty seven. Super fast because the pseudo random numbers are from a pre calculated table. This does introduce a weakness cryptographically, which is if you get over six forty consecutive outputs, the future output can be accessed and predicted. However, not for public decision as to the how, but we are aware that this methodology alarmingly could already be considerably enhanced for much, much faster operation. And we’ll be right back. Your research also highlights some interesting infrastructure overlaps. We’re seeing IP addresses listed for next hosting and SOX5 proxies. Could you tell us a little bit more about those and what that means? So this is where we get to adversarial exposure. We’ve identified a specific pivot point, thirty one point one seven two seventy one point five. This IP has been active in Sandworm operations since twenty twenty four. It’s not server in the traditional sense. It’s a funnel. And they’re masking your origin using SOHO routers. Yep. Standard practice for them now, Tova. They hijack ubiquity and microtic routers to create a global mesh. It makes attribution an even bigger nightmare because the attack looks like it’s coming from a local coffee shop or a small business next door. This all sounds incredibly daunting for a CISO. If the malware is already inside and it doesn’t need to phone home in order to operate, how do we stop it? So as usual, we get to breach in the attack simulation and continuous automated red teaming. Toby, is exactly why point in time testing is dead. If you’ve only tested your perimeter once a year, DynaWiper only emerged on the twenty ninth of December, you’d be oblivious to this. You’re gonna miss the lateral movement that DynaWiper relies on. Okay. So break it down for us. How does adversarial exposure validation or AAV change the game here, especially when you make sure you’re continuous? So the component parts of continuous threat exposure management here are the buzz element is we can actually simulate the DynaWiper execution logic safely. We obviously don’t wipe your driver your files, but we mimic the behavior. The heart of the storm here is behaviors. Technical details, IOCs, TTPs can change, but behaviors are much more likely to be consistent. The specific PowerShell one liners, the staging in SYSFUL, the creation of the DW. Exe process, DynaWiper. Exe, that is, of course. Then the CAR element is we use automated red teaming to see if our internal sensors, our EDR, our XDR actually flag that lateral movement. Can an attacker move from a compromised router to your domain controller? And then explicitly adversarial exposure validation, this is the so what factor. It tells the CISO, here is exactly where Sandworm would succeed in your specific network. So the takeaway here is to be proactive. You can’t just wait for the IOCs to hit the news. You have to be looking actively to make sure what you can do to protect yourself now. Exactly. Research shows the warmup for these attacks happened months ago, back in December twenty five. If you were validating your exposure then, you would have seen the holes they used to get in today. Cyber resilience is not just a state of being. It’s a constant process of validation. CTEM, Tova. Couldn’t have said it better myself. Adrian, thank you for breaking down the DynoWiper research and for providing me with the name for my next cocktail, the Mersenne Twister. Just saying, I wanna try to make one now. But to our listeners, don’t wait for the wiper to start its routine. You want to validate your exposure today. Turn off this episode, turn on your BaaS and AV platforms, and give it a go. Make sure that you’re protected. Please stay tuned for our regularly scheduled episode later this week. We’ll be continuing our deep dive into the Russian backed nation state threat actors. But in the meantime, stay safe. Stay safe with SafeBreach. Take care, everyone. The cyber resilience brief is the SafeBreach podcast. Executive produced by Adrian Culley and Tova Devoin. Music produced by Sar Dressner. Hosted, edited, and compiled on Riverside. For more about SafeReach and how you can validate your security controls across your entire IT infrastructure, visit us at w w w dot safereach dot com. That’s w w w dot s a f e b r e a t h dot com.
