Report: 'Wiper' Malware Hit Casino Firm

Sony Pictures Hack May Not Have Been First Wiper Attack in U.S.
Report: 'Wiper' Malware Hit Casino Firm

The hacking of Sony Pictures Entertainment may not have been the first "wiper" malware attack in the U.S., as many researchers had reported.

See Also: Creating a User-Centric Authentication and Identity Platform for the Healthcare Industry

A new report from Bloomberg claims that Iranian hackers launched a cyber-attack against casino company Las Vegas Sands Corp. back in February using destructive wiper malware. The incident may have been retaliation for remarks made by the company's chairman and CEO, Sheldon Adelson, about using nuclear weapons against Iran, the report says.

These new claims come as Sony Pictures Entertainment works to bounce back from a massive cyber-attack against its systems that used wiper malware known as "Destover" or "Wipall" to infect and erase hard drives (see: Sony Hack: 'Destover' Malware Identified). Attackers also stole and have begun releasing many gigabytes - and potentially terabytes - of Sony data.

Figuring out which organization in the U.S. was the first to be hit by a wiper attack shouldn't be the focus, says Rick Holland, principal security analyst at Forrester Research. "I don't think there are any significant implications related to which one was first," he says.

Instead, the takeaway is that organizations "need to have wiper malware on their threat [radar]," Holland says. "Certainly those that are likely to be targeted by hacktivists need to consider this threat as more likely."

Before the U.S. incidents, previous wiper attacks were seen in the Middle East in 2012 and in South Korea in 2013 (see: Sony Hack: FBI Issues Malware Alert).

Casino Hacking Incident

The attackers who targeted Las Vegas Sands Corp. apparently started their campaign by hacking into the company's hotel and casino in Bethlehem, Pa., according to the Bloomberg report (see: Pennsylvania Casino Reports Data Breach).

Following the attack at the Bethlehem location, the attackers were able to find the login credentials of a senior computer systems engineer who normally worked at the company's headquarters, but whose password had been used in Bethlehem during a recent trip, Bloomberg reports.

Those credentials granted attackers access to the company's corporate servers in Las Vegas, where it operates The Venetian resort. Once they accessed those servers, they launched the wiper malware, which apparently shut down PCs and servers, and wiped many hard drives clean using wiper malware, according to the Bloomberg report. "It spread through the company's networks, laying waste to thousands of servers, desktop PCs and laptops," the report says. "Sands security staff members noticed logs showing that the hackers had been compressing batches of sensitive files," which indicated that the hackers may have downloaded large numbers of private documents, according to the news report.

While the company is still determining the amount of damage it suffered, the malware was able to wipe out about three quarters of its Las Vegas computer servers, according to Bloomberg, citing documents and interviews with individuals involved with the investigation.

Las Vegas Sands Corp. declined to comment on the details of the news report.

Defending Against Wiper Malware

A key lesson for organizations from these wiper attacks is to avoid assuming "that because they aren't a typical target of hacktivists that this couldn't happen to them," Holland at Forrester Researcher says. "One wrong public statement could draw the ire of hacktivists."

Defensive measures organizations can take include segmenting important information to hardened networks, backing up data and operations offsite and investing in appropriate resources to detect breaches quickly (see: Defending Against 'Wiper' Malware).

Another important action item is to include end-user workstations that conduct critical business functions in an organization's business continuity and disaster recovery plans. "This is often overlooked as firms hyper-focus on servers, not workstations," Holland says.


About the Author

Jeffrey Roman

Jeffrey Roman

News Writer, ISMG

Roman is the former News Writer for Information Security Media Group. Having worked for multiple publications at The College of New Jersey, including the College's newspaper "The Signal" and alumni magazine, Roman has experience in journalism, copy editing and communications.




Around the Network