A destructive malware campaign deploying a wiper tracked as Lotus Wiper has been identified against Venezuelan state energy infrastructure, including PDVSA (Petróleos de Venezuela) and electricity generation facilities operated by CORPOELEC. Unlike opportunistic ransomware deployments, Lotus Wiper includes OT-specific logic that identifies industrial control system components before executing its destructive payload — making it one of the few wipers with confirmed ICS-aware targeting capability outside of major nation-state campaigns such as Industroyer, Triton, and Sandworm operations.
Lotus Wiper Technical Characteristics
Lotus Wiper is a modular wiper with a staged destruction sequence:
Stage 1 — Reconnaissance and ICS profiling: The malware enumerates installed software matching OT vendor signatures including GE iFIX, Wonderware (AVEVA InTouch), OSIsoft PI (now AVEVA PI), Honeywell Experion, and Siemens WinCC. It also queries Windows registry paths associated with common SCADA and HMI platforms and enumerates active OPC-UA and OPC-DA connections.
Stage 2 — Targeted ICS data destruction: For identified OT software installations, Lotus Wiper overwrites historian databases, tag configuration files, and alarm configuration stores. For OSIsoft/AVEVA PI deployments, the malware specifically targets the PI Data Archive (piarchss.exe process and associated .arc files) — destroying years of process data. HMI project files (.gfx, .app, .adb) are overwritten with random data before file system destruction begins.
Stage 3 — System wiper: After ICS-specific destruction, Lotus Wiper executes a conventional MBR overwrite and partition table corruption, rendering the host non-bootable. The malware uses direct disk I/O to bypass file system drivers, similar to techniques observed in WhisperGate and HermeticWiper.
Stage 4 — Network lateral movement attempt: Before executing destruction, the malware attempts to spread via SMB to hosts identified in the ICS engineering workstation’s network routing tables — prioritising hosts with names matching patterns associated with OT/ICS systems (containing strings like “HMI”, “EWS”, “HIST”, “SCADA”, “SRV”).
ICS-Specific Impact
The OT-aware destruction sequence is significant because it targets the components most difficult to recover from backup:
- Process historian data is often not backed up with the same frequency or completeness as IT systems — years of operational data for compliance and maintenance purposes may be unrecoverable
- HMI and SCADA configuration files represent months of engineering effort to configure for specific plant conditions; even if backed up, restoring them requires validating against current plant state
- Tag and alarm configurations encode operational knowledge about safe operating envelopes; incorrect restoration can create safety risks in restoration scenarios
The energy sector targeting is consistent with a pattern of sabotage operations designed to disrupt both immediate operations and long-term recovery capacity.
Attribution Assessment
Attribution has not been formally made by any government authority at time of writing. Dragos tracks the intrusion activity cluster as an unnamed group; the malware itself does not contain attribution artefacts. Venezuela’s PDVSA has publicly attributed infrastructure disruptions to “external sabotage” — a claim the Venezuelan government has made during previous infrastructure incidents without independent verification. Researchers note technical similarities with tooling previously observed in Iranian-nexus campaigns targeting Middle Eastern energy infrastructure, though the evidence is currently assessed as low-to-medium confidence.
Defensive Implications for OT Environments
Lotus Wiper’s ICS profiling capability underlines why OT/IT network segmentation must be enforced at the network layer, not merely at the policy level:
Engineering workstation isolation: EWS (Engineering Workstations) should not have network connectivity to IT domains. An EWS that can reach IT SMB shares — or be reached from IT networks — provides the lateral movement path this malware exploits. Enforce firewall rules permitting only OT protocol traffic (OPC-UA, Modbus, DNP3) to and from EWS hosts.
Historian and configuration backup integrity: OT historian databases should be backed up to offline or air-gapped media on a daily or shift-based cycle. Backups must be validated — not merely completed — and stored in a network-isolated location the historian server cannot write to directly.
OT-specific endpoint protection: Deploy EDR or ICS-specific endpoint security on EWS and HMI hosts. While Lotus Wiper’s direct disk I/O techniques may bypass file-system-level monitoring, process creation and privilege escalation events in Stage 1 are detectable with appropriate EDR configuration.
Detect ICS software enumeration: Monitoring for unusual registry queries against ICS vendor software keys (e.g., HKLM\SOFTWARE\Wonderware, HKLM\SOFTWARE\OSIsoft) or unexpected process enumeration of OT-related process names constitutes an early-warning indicator for ICS-targeting reconnaissance.
The Lotus Wiper campaign reinforces that ICS-aware destructive tools are no longer the exclusive capability of top-tier nation-state actors. The defensive investment required to recover from an ICS wiper deployment — particularly one that destroys historian data and HMI configurations — far exceeds the investment required to prevent it.
Share this article