T1485: Data Destruction

T1485 is the endgame technique. It sits in the Impact tactic of the ATT&CK framework because it represents what happens when the adversary's objective is not espionage, not financial gain, and not persistent access — it is destruction. Wiper malware is designed to render data irrecoverable by overwriting files, corrupting storage structures, or leveraging legitimate administrative tools to erase systems at scale. The goal is to cause maximum operational disruption with no path to restoration beyond offline backups.

The frequency and severity of destructive attacks have escalated sharply. ESET investigated more than 10 incidents involving destructive malware attributed to Russia's Sandworm group in 2025 alone, almost all targeting Ukraine. Iran-linked groups, particularly Handala (Void Manticore), have expanded wiper operations beyond Israel to target U.S. and European organizations, with the March 2026 attack on Stryker Corporation representing one of the largest destructive cyber operations against a U.S. private-sector target in recent years. The emergence of cloud-native destruction techniques — including lifecycle policy manipulation to mass-delete S3 buckets and abuse of MDM platforms to remotely wipe managed devices — has expanded the attack surface beyond traditional on-premise environments.

How Data Destruction Works

Data destruction goes beyond simple file deletion. Operating system commands like del and rm remove only the file system pointers, leaving the underlying data intact and recoverable through forensic techniques. True data destruction requires overwriting the file contents with random data, zeroes, or in some cases politically motivated imagery, rendering the original data irrecoverable even with specialized tools.

Wiper malware typically follows a predictable operational sequence. First, the malware enumerates all accessible storage — local drives, mounted network shares, removable media, and in advanced variants, virtual machine datastores and cloud storage. Second, it disables recovery mechanisms: deleting Volume Shadow Copy Service (VSS) snapshots, corrupting the Master Boot Record (MBR), disabling Windows Recovery Environment, and destroying system restore points. Third, it overwrites or corrupts the targeted files, either selectively (targeting specific file types or directories) or indiscriminately (wiping everything accessible). Finally, advanced wipers may force a reboot to ensure the corrupted MBR or boot configuration takes effect, rendering the system unbootable.

To maximize impact across an organization, wiper malware frequently incorporates worm-like propagation capabilities. Wipers like Shamoon, NotPetya, and HermeticWiper leveraged techniques including credential dumping (T1003), exploitation of SMB/Windows Admin Shares (T1021.002), and abuse of Active Directory Group Policy to deploy destructive payloads to every domain-joined machine simultaneously. This combination of destruction and propagation is what transforms a single infected host into an organization-wide catastrophe.

Sub-Techniques

T1485.001 — Lifecycle-Triggered Deletion

Added in ATT&CK v18, this sub-technique addresses a cloud-native destruction method. Adversaries with sufficient permissions can modify the lifecycle policies of cloud storage buckets to automatically delete all objects after a specified period — as short as one day. In AWS, an attacker with PutLifecycleConfiguration permissions can apply a policy to an S3 bucket that schedules all objects for deletion. The same approach works in Azure Blob Storage and Google Cloud Storage. This technique is particularly insidious because it uses the cloud platform's own management features rather than external tools, and the deletion occurs on the platform's schedule rather than immediately — which can delay detection. Attackers have also used this technique against buckets storing CloudTrail logs to destroy evidence of their activities.

Major Wiper Malware Families

The following table catalogs significant wiper malware families by chronology, attribution, and operational characteristics:

Wiper	Year	Attribution	Target / Impact
Shamoon	2012, 2016, 2018	Iran (APT33)	Saudi Aramco — 30,000 workstations destroyed; returned in 2016 and 2018 targeting energy and government sectors
NotPetya	2017	Russia (Sandworm)	Global — spread via compromised M.E.Doc supply chain; $10B+ in damages; disguised as ransomware with no recovery capability
Olympic Destroyer	2018	Russia (Sandworm)	2018 Winter Olympics IT infrastructure in Pyeongchang; designed with false flags to misdirect attribution
WhisperGate	2022	Russia (Cadet Blizzard)	Ukrainian government organizations; disguised as ransomware but overwrote MBR with no decryption capability
HermeticWiper	2022	Russia (Sandworm)	Ukrainian organizations; deployed hours before the physical invasion; abused legitimate EaseUS Partition Master driver for disk corruption
CaddyWiper	2022	Russia (Sandworm)	Ukrainian organizations; compiled just two hours before deployment, indicating rapid operational tempo
AcidRain / AcidPour	2022, 2024	Russia (Sandworm)	AcidRain wiped Viasat KA-SAT modems across Europe; AcidPour (2024) expanded to Linux x86, targeting IoT, SANs, and ICS devices
PathWiper	2025	Russia (Sandworm)	Ukrainian critical infrastructure; deployed via compromised endpoint administration system; targeted physical drives, dismounted volumes, and network shares
DynoWiper	2025	Russia (Sandworm)	Polish energy company — first overt Sandworm destructive attack on a NATO member; blocked by EDR before full execution

Real-World Case Studies

Sandworm's Decade of Destruction — From NotPetya to DynoWiper

Russia's Sandworm group (APT44 / GRU Unit 74455) has deployed more distinct wiper families than any other threat actor in history. Since the onset of the Russia-Ukraine conflict in 2022, Sandworm has unleashed at least 20 distinct destructive malware families against Ukrainian targets, including HermeticWiper, CaddyWiper, WhisperGate, IsaacWiper, DoubleZero, AcidRain, Prestige, SwiftSlicer, NikoWiper, ZEROLOT, ZOV, and PathWiper. The group's standard deployment method involves gaining Domain Admin privileges, then using Active Directory Group Policy to push wiper payloads to every machine in the domain simultaneously.

In December 2025, Sandworm extended its destructive operations beyond Ukraine for the first time in the current conflict, deploying the DynoWiper malware against a Polish energy company. The attack represented a significant escalation — the first overt destructive strike against a NATO member's energy infrastructure by a Russian state actor. ESET's endpoint protection blocked execution, limiting the damage, but the operational intent was unmistakable. Analysis showed the attackers built and rebuilt the wiper three times in rapid succession as each attempt was blocked, demonstrating the persistence of the operational directive.

Handala's Wiper Campaign — Iran Targets U.S. Critical Infrastructure (2026)

On March 11, 2026, the Iran-linked group Handala (Void Manticore) executed a destructive wiper attack against Stryker Corporation, a $25 billion medical technology company with operations in 79 countries and approximately 56,000 employees. The attackers compromised administrator accounts and weaponized Microsoft Intune — Stryker's own cloud-based mobile device management platform — to issue remote wipe commands to all connected devices. Over 200,000 servers, laptops, mobile devices, and other systems were reported wiped. Employees worldwide saw their work-issued devices erased, with login screens displaying the Handala logo.

The technique was a textbook living-off-the-land approach to destruction: rather than deploying custom wiper malware that might trigger endpoint detection, the attackers used the legitimate administrative capabilities of the MDM platform to achieve the same result. Because the wipe commands originated from a trusted management system, traditional security controls did not intercept them. The attack came 11 days after joint U.S.-Israeli military strikes on Iran began and was framed by Handala as retaliation. Israel's National Cyber Directorate had issued a warning on March 6 about Iranian-linked attackers infiltrating corporate networks and deleting servers and workstations.

NotPetya — The $10 Billion Wiper Disguised as Ransomware

NotPetya remains the costliest destructive cyberattack in history. In June 2017, Sandworm compromised the update mechanism for M.E.Doc, a Ukrainian tax accounting application used by nearly every business operating in Ukraine, and distributed the NotPetya wiper through a routine software update. The malware spread laterally using the EternalBlue exploit and stolen credentials, propagating across networks at extraordinary speed. Despite displaying a ransom demand, NotPetya had no functional decryption capability — it was a wiper masquerading as ransomware to misdirect initial response efforts.

The damage extended far beyond Ukraine. Maersk, the world's largest container shipping company, lost nearly all of its 49,000 laptops, most of its 3,500 servers, and the entirety of its Active Directory infrastructure. The company continued operations using paper-based processes for 10 days. Merck, FedEx (through its TNT Express subsidiary), Mondelez, and Saint-Gobain each suffered hundreds of millions of dollars in losses. Total global damages exceeded $10 billion.

Shamoon — The Original Mass-Destruction Wiper

In August 2012, the Shamoon wiper (also known as Disttrack) destroyed approximately 30,000 workstations at Saudi Aramco, the world's largest oil company, in a single coordinated operation. The malware overwrote the MBR and file contents with a fragment of a burning American flag. The attack forced Saudi Aramco to operate on paper for weeks and required the company to purchase a substantial portion of the global supply of hard drives to rebuild. Shamoon returned in 2016 and 2018 with updated variants targeting energy and government organizations across the Middle East and Europe. Shamoon is attributed to Iranian threat actors (APT33 / Elfin), and its repeated use established the template for state-sponsored destructive operations that continues to this day.

AcidRain and AcidPour — Wiping the Edge

On February 24, 2022 — the day Russia invaded Ukraine — the AcidRain wiper targeted Viasat's KA-SAT satellite modems, knocking thousands of broadband terminals offline across Ukraine and Europe. Unlike traditional wipers that target Windows workstations, AcidRain was compiled for MIPS-based embedded devices, reflecting a deliberate focus on operational technology and communications infrastructure. In March 2024, SentinelOne identified AcidPour, a significantly more capable variant compiled for x86 Linux, with expanded targeting logic for IoT devices, storage area networks, and industrial control systems. The evolution from AcidRain to AcidPour demonstrated Sandworm's systematic expansion of destructive capabilities beyond traditional IT environments into embedded and OT systems.

Detection Strategies

Detecting data destruction in progress requires monitoring for the precursor activities that wipers perform before the actual data overwriting begins. Once the wipe is underway, the window for intervention is extremely narrow.

Key Indicators

Indicator	What to Monitor	Context
VSS Deletion	vssadmin.exe delete shadows /all /quiet or equivalent WMI calls	Nearly every wiper and ransomware deletes shadow copies as a precursor to destruction; this is a high-fidelity early warning
MBR Modification	Direct writes to \\.\PhysicalDrive0 via raw disk I/O (Sysmon Event ID 9)	Legitimate processes rarely write directly to the physical disk; HermeticWiper and WhisperGate both modified the MBR
Mass File Modification	Rapid high-volume write operations across multiple directories (Sysmon Event ID 11, 2)	Wipers overwriting files generate anomalous I/O patterns; monitor for sustained high write rates to user directories and system paths
GPO Deployment	New or modified Group Policy Objects pushing executables or scripts (Event ID 5136, 5137)	Sandworm's standard deployment vector; a new GPO that pushes an unknown executable to all machines is a critical alert
Cloud Storage Deletion	AWS DeleteBucket, PutBucketLifecycle; Azure Delete Blob Container in rapid succession	Mass cloud storage deletion or lifecycle policy changes affecting multiple buckets in a short window indicate destructive intent
MDM Abuse	Bulk remote wipe commands from Intune, Workspace ONE, or other MDM platforms	The Stryker attack demonstrated MDM as a destruction vector; monitor for mass wipe commands, especially outside maintenance windows

Splunk Detection Queries

Detect Volume Shadow Copy deletion, the single most reliable precursor to both wiper and ransomware attacks:

# Detect VSS deletion — high-fidelity precursor to data destruction
index=sysmon EventCode=1
| search (process_name="vssadmin.exe" AND CommandLine="*delete*shadows*")
    OR (process_name="wmic.exe" AND CommandLine="*shadowcopy*delete*")
    OR (process_name="powershell.exe" AND CommandLine="*Win32_ShadowCopy*")
    OR (process_name="wbadmin.exe" AND CommandLine="*delete*catalog*")
| stats count by dest, user, parent_image, process_name, CommandLine
| where count >= 1

Detect abnormal mass file write activity that may indicate wiper execution:

# Detect mass file overwrite patterns consistent with wiper activity
index=sysmon EventCode=11
| bucket _time span=60s
| stats count as files_created dc(TargetFilename) as unique_files by _time, dest, Image
| where files_created > 500 AND unique_files > 200
| sort - files_created

Monitor for suspicious Group Policy modifications that may be used for wiper deployment:

# Detect GPO modifications deploying new scripts or executables
index=wineventlog EventCode=5136 OR EventCode=5137
| search ObjectClass="groupPolicyContainer"
  AND (AttributeValue="*.exe" OR AttributeValue="*.bat"
       OR AttributeValue="*.ps1" OR AttributeValue="*.vbs")
| stats count by SubjectUserName, ObjectDN, AttributeValue, dest
| table _time, SubjectUserName, ObjectDN, AttributeValue

Known Threat Actors

The following threat groups have been documented as employing T1485 Data Destruction techniques:

• Sandworm / APT44 (Russia, GRU Unit 74455) — The most prolific deployer of wiper malware in history; responsible for NotPetya, HermeticWiper, CaddyWiper, AcidRain, PathWiper, DynoWiper, and at least 15 other distinct destructive malware families
• Handala / Void Manticore (Iran, MOIS) — Wiper and hack-and-leak operations against Israel, the U.S., and Albania; the Stryker attack (March 2026) using MDM abuse; historically operated as Homeland Justice and Karma personas
• APT33 / Elfin (Iran) — Shamoon wiper campaigns against Saudi Aramco and Middle Eastern energy/government targets across three major waves (2012, 2016, 2018)
• Agrius / Pink Sandstorm (Iran, MOIS) — Deployed Apostle and Fantasy wipers disguised as ransomware against Israeli targets; evolved from espionage to destruction
• Lazarus Group (North Korea) — Destructive attacks against Sony Pictures Entertainment (2014); destructive capabilities demonstrated across financial and media sector targets
• APT38 (North Korea) — Deployed destructive malware against financial institutions after completing theft operations to destroy evidence and delay investigation
• Cadet Blizzard / Ember Bear (Russia) — WhisperGate deployment against Ukrainian government organizations in January 2022, weeks before the physical invasion
• Indra (Anti-Iran hacktivist) — Deployed Meteor wiper against Iranian railway and government systems in 2021

Defensive Recommendations

1. Maintain offline, immutable backups: This is the single most important control against data destruction. Backups must be stored offline or in immutable storage that cannot be modified or deleted by an attacker who has compromised administrative credentials. Test restoration procedures regularly. Wipers like NotPetya destroyed backup servers that were reachable on the network.
2. Implement network segmentation and admin tiering: Sandworm's standard deployment method requires Domain Admin access to push GPOs. Tiered administration models that separate workstation, server, and domain controller administrative credentials limit the blast radius. An attacker with workstation admin privileges should not be able to push GPOs or wipe domain controllers.
3. Harden MDM and endpoint management platforms: The Stryker attack demonstrated that MDM admin accounts are equivalent to root access on every managed device. Enforce phishing-resistant MFA on all MDM administrator accounts. Implement just-in-time access for destructive MDM capabilities (remote wipe, factory reset). Monitor for bulk wipe commands and require multi-party approval for mass device actions.
4. Deploy automated response for high-fidelity indicators: VSS deletion combined with mass file writes should trigger automated network isolation without waiting for human review. The time from wiper activation to total data loss is measured in minutes — manual triage is too slow.
5. Protect Volume Shadow Copies: Configure tamper protection on VSS. Restrict which processes and users can execute vssadmin.exe and wmic.exe shadowcopy delete commands. Monitor for and alert on any VSS deletion activity as a high-priority event.
6. Monitor for anomalous Group Policy changes: Implement real-time alerting on GPO creation and modification, particularly GPOs that deploy executables, scripts, or scheduled tasks to large numbers of machines. Sandworm's wiper deployment via GPO is well-documented and remains the primary distribution mechanism.
7. Secure cloud storage with versioning and deletion locks: Enable object versioning and MFA Delete on S3 buckets and equivalent protections in Azure and GCP. Implement SCPs (Service Control Policies) or organizational policies that prevent lifecycle policy modifications on critical storage. Monitor CloudTrail for PutBucketLifecycle and DeleteBucket events.
8. Develop and exercise a wiper-specific incident response playbook: A wiper incident is fundamentally different from a data breach or ransomware event. The response priority is stopping propagation (network isolation, credential rotation, GPO rollback) before assessing damage. Practice this scenario with tabletop exercises that assume total loss of Active Directory and domain controllers.

MITRE ATT&CK Mapping

Field	Value
Technique ID	T1485
Technique Name	Data Destruction
Tactics	Impact
Platforms	Windows, Linux, macOS, IaaS, SaaS, Containers
Sub-Techniques	T1485.001 Lifecycle-Triggered Deletion
Data Sources	File (Modification, Deletion), Process (Creation), Command (Execution), Cloud Storage (Modification, Deletion), Drive (Modification)
Mitigations	Data Backup (M1053)
Related Techniques	T1561 Disk Wipe, T1490 Inhibit System Recovery, T1529 System Shutdown/Reboot, T1565 Data Manipulation
MITRE Reference	attack.mitre.org/techniques/T1485

Sources and References

• MITRE ATT&CK — T1485 Data Destruction: attack.mitre.org
• ESET Research — DynoWiper Technical Analysis and Attribution: welivesecurity.com
• Check Point Research — Handala Hack: Unveiling the Group's Modus Operandi: research.checkpoint.com
• Palo Alto Networks Unit 42 — March 2026 Escalation of Cyber Risk Related to Iran: unit42.paloaltonetworks.com
• CISA — Destructive Malware Targeting Organizations in Ukraine (AA22-057A): cisa.gov
• SentinelOne — AcidPour: New Embedded Wiper Variant of AcidRain: sentinelone.com
• Fortinet — An Overview of the Increasing Wiper Malware Threat: fortinet.com
• Splunk — Using Attack Range to Test and Detect Data Destruction (T1485): splunk.com