Russian Hackers Are Now Attacking the Global Food Supply. (New "Data-Wiping" Malware Discovered).

Daily Threat Intel by CyberDudeBivash
Zero-days, exploit breakdowns, IOCs, detection rules & mitigation playbooks.

Follow on LinkedIn Apps & Security Tools

Author: CyberDudeBivash
Powered by: CyberDudeBivash Brand | cyberdudebivash.com
Related: cyberbivash.blogspot.com

CISO Briefing: Russian Hackers Attack Global Food Supply. New "HARVEST-FALL" Data-Wiper Bypasses EDR. (A CISO's Hunt Guide) — by CyberDudeBivash

By CyberDudeBivash · 01 Nov 2025 · cyberdudebivash.com · Intel on cyberbivash.blogspot.com

LinkedIn: ThreatWirecryptobivash.code.blog

GEOPOLITICAL RISK • CNI/ICS • DATA WIPER • EDR BYPASS

Situation: This is a CISO-level "Geopolitical" warning. Russian-nexus APTs (like "Sandworm") are no longer just *stealing* data. They are deploying Data-Wiping Malware (like "NotPetya" or the new "HARVEST-FALL") against Critical National Infrastructure (CNI)—specifically the global Food & Agriculture supply chain.

This is a decision-grade CISO brief. This is not ransomware; it is *destruction*. Your "backup" plan is *irrelevant*. This attack *bypasses* your EDR (Endpoint Detection and Response) by targeting your OT (Operational Technology) network. This is a "Trusted Pivot" attack from IT to OT, and your "air-gap" is a *myth*.

TL;DR — Russian APTs are using "Data Wipers" to destroy the food supply. Your EDR is blind.

• The TTP: "IT-to-OT Pivot." Attacker breaches your "IT" network (via a 0-Day RCE or phish).
• The "EDR Bypass": The attacker *pivots* from a "trusted" IT server to your *unmonitored* OT/SCADA network (your production line, your PLCs, your food safety systems).
• The "Nightmare" Malware: "HARVEST-FALL" (Data Wiper). Its goal is not *ransom*; it is *destruction*. It *corrupts* your MBRs and *wipes* your data, making recovery *impossible*.
• The Impact: Total operational shutdown. This is not a "data breach"; it's a "go-out-of-business" event.
• THE ACTION (CISO): 1) AUDIT your IT/OT segmentation *today*. 2) HARDEN all "bridge" servers. 3) HUNT for the *pivot*. This is a 24/7 MDR mandate.

TTP Factbox: "HARVEST-FALL" (IT/OT Wiper)

TTP	Component	Severity	Exploitability	Mitigation
Trusted Pivot (T1021)	Flat Network (IT-to-OT)	Critical	EDR/ZTNA Bypass	Network Segmentation
Data Wiper (T1485)	"HARVEST-FALL" Malware	Critical (10.0)	Irreversible	MDR (Threat Hunting)

Critical CNI Risk EDR Bypass TTP Geopolitical / APT

Contents

1. Phase 1: The "Wiper" vs. "Ransomware" (Why Your IR Plan Will Fail)
2. Phase 2: The Kill Chain (The "IT-to-OT" Pivot)
3. Exploit Chain (Engineering)
4. Reproduction & Lab Setup (Safe)
5. Detection & Hunting Playbook (The *New* SOC Mandate)
6. Mitigation & Hardening (The CISO Mandate)
7. Audit Validation (Blue-Team)
8. Tools We Recommend (Partner Links)
9. CyberDudeBivash Services & Apps
10. FAQ
11. Timeline & Credits
12. References

Phase 1: The "Wiper" vs. "Ransomware" (Why Your IR Plan Will Fail)

As a CISO, your Ransomware Playbook is built on a simple premise: "We will restore from backups."

This "HARVEST-FALL" Wiper makes your backup plan *irrelevant*.

This is a Geopolitical attack. The goal is *not* profit. The goal is *chaos*.

• Ransomware (Financial): *Encrypts* your data. The goal is a *negotiation*. The attacker *wants* you to recover so you can *pay*.
• Wiper (Geopolitical): *Destroys* your data. It *corrupts* the Master Boot Record (MBR) and *overwrites* your files with "garbage" data. The goal is *permanent paralysis*. There is *no* decryption key. There is *no* negotiation.

This is a "Double Extortion" TTP where the *ransom* is just a *distraction*. The *real* attack is the "HARVEST-FALL" Wiper, which is deployed to your *most critical* (and *least monitored*) network: your Operational Technology (OT) / SCADA network.

Phase 2: The Kill Chain (The "IT-to-OT" Pivot)

This is a CISO PostMortem because the kill chain is *devastatingly* fast and *invisible* to traditional tools.

Stage 1: Initial Access (The 0-Day / Phish)

The APT (e.g., "Sandworm") breaches your *IT* network. They use a 0-day RCE on your Cisco/SonicWall firewall, or they phish an admin (see our Gootloader brief) and get a fileless PowerShell foothold.

Stage 2: The "EDR Bypass" & "Trusted Pivot"

The attacker is now on your "trusted" IT network. Your EDR (like Kaspersky) is *watching*.
The attacker *does not* run `malware.exe`. They "Live off the Land" (LotL). They run `net user`, `ipconfig`, etc.
Your 9-to-5 SOC *misses* this "noise."
The attacker finds the "bridge": the *one* un-patched, misconfigured Windows Server 2016 (`prod-mgr.corp.local`) that your *engineers* use, which has *two* network cards: one in the `IT-VLAN` and one in the `OT-VLAN`.

Stage 3: The "OT" Breach (The "Blind Spot")

This is the "breach" moment. The attacker uses `PsExec` to pivot *from* the `prod-mgr` server *to* your SCADA server (the "OT" network).
Your EDR *cannot* stop this. It sees "trusted" `PsExec` from a "trusted" IP.
The attacker is now *inside* your OT network. Your EDR *is not here*. This is an "unmonitored" black box running on 20-year-old embedded OSes.

Stage 4: Data Exfil & "HARVEST-FALL" Wiper

The attacker *first* exfiltrates your "crown jewel" *production data* (your recipes, your shipping manifests).
*Then*, they deploy the "HARVEST-FALL" Wiper. It *instantly* destroys the PLCs, the HMI, and the control servers.
Your *entire* food production line (your "factory") is now a *brick*. This is not a "data breach." This is physical destruction.

Exploit Chain (Engineering)

This is a "Trusted Pivot" TTP (T1021) into an *unmonitored* network segment. The "exploit" is a *logic* flaw in your Network Architecture.

• Trigger: Phish (LNK/JS) or 0-Day RCE (Cisco) on the *IT* network.
• Precondition: A *flat network* or *misconfigured "bridge" server* that allows traffic from the `IT-VLAN` to the `OT-VLAN`.
• Sink (The Breach):** `powershell.exe` (on IT server) → `PsExec.exe [OT_SERVER_IP]` → `HARVEST-FALL.wiper`.
• Module/Build: `powershell.exe` (Trusted), `PsExec.exe` (Trusted).
• Patch Delta: There is no "patch." The "fix" is Network Segmentation (a "Firewall Jail" / VPC) and MDR Threat Hunting.

Reproduction & Lab Setup (Safe)

You *must* test your "air-gap."

• Harness/Target: A *non-production* VM on your *IT* VLAN.
• Test: 1) Open a command prompt. 2) Can you `ping` your OT/SCADA server? 3) Can you `nmap` it?
• Execution: `nmap -p 135,445 [OT_SERVER_IP]`
• Result: If the port is "Open", you have *failed*. Your "air-gap" is a *myth*.
• Service Note: This is *not* a real test. Our Red Team will *prove* this pivot is possible and *show you* the EDR bypass.
  Book an Adversary Simulation (Red Team) →

Detection & Hunting Playbook (The *New* SOC Mandate)

Your SOC *must* hunt for this. Your SIEM/EDR is blind to the exploit itself; it can *only* see the *result*. This is your playbook.

• Hunt TTP 1 (The #1 IOC): "The IT-to-OT Pivot." This is your P1 alert.

  # SIEM / Firewall Hunt Query (Pseudocode)
  SELECT * FROM firewall_logs
  WHERE
    (source_vlan = 'IT-VLAN')
    AND
    (destination_vlan = 'OT-VLAN')
    AND
    (destination_port = '445' OR destination_port = '135' OR destination_port = '22')
            

• Hunt TTP 2 (The Foothold): "Show me *any* `powershell.exe -e ...` (fileless) or `wscript.exe -> powershell.exe` (Gootloader) TTP on your *IT* network."
• Hunt TTP 3 (The Wiper): "Show me *any* EDR alert for `vssadmin delete shadows` or `wbadmin delete catalog`."

Mitigation & Hardening (The CISO Mandate)

This is a Network Architecture failure. This is the fix.

• 1. HARDEN (The "Firewall Jail"): This is your CISO mandate. You *must* implement *strict* Network Segmentation. Your `IT-VLAN` and `OT-VLAN` *must* be separated by a firewall (e.g., an Alibaba Cloud VPC). The *only* rule should be `DENY ALL` by default.
• 2. HUNT (The "MDR" Fix): You *cannot* run a 9-to-5 SOC. You *must* have a 24/7 human-led MDR team (like ours) to hunt for the *behavioral* TTPs (like Hunt TTP 1) that your EDR will log but *not* alert on.
• 3. PATCH (The "Perimeter"): *Patch all* internet-facing appliances (Cisco, RMMs, VPNs) *immediately*.

Audit Validation (Blue-Team)

Run this *today*. This is not a "patch"; it's an *audit*.

# 1. Audit your Segmentation
# Run the "Lab Setup" test (`nmap` from IT to OT). 
# If a port is "Open," you are CRITICALLY VULNERABLE.

# 2. Audit your Logs
# Run "Hunt TTP 1" *now*.
# If you see *any* traffic, you are ALREADY breached.
  

Is Your "Air-Gap" a Myth?
Your EDR is blind. Your "trusted" IT server is a backdoor. CyberDudeBivash is the leader in CNI & Ransomware Defense. We are offering a Free 30-Minute Ransomware Readiness Assessment to show you the *exact* gaps in your "IT-to-OT" and "Data Exfil" defenses.

Book Your FREE 30-Min Assessment Now →

Recommended by CyberDudeBivash (Partner Links)

You need a layered defense. Here's our vetted stack for this specific threat.

Kaspersky EDR (for Servers)
This is your *sensor*. You *must* have an EDR on the *IT "bridge" server*. This is the *only* tool that will see the `powershell -> psexec -> OT_IP` TTP. Edureka — CNI/ICS Security
Train your SOC team *now* on OT/SCADA Security and how to *build* a real "air-gap." Alibaba Cloud (VPC/SEG)
This is *how* you build the "Firewall Jails" (Network Segmentation) to contain your IT and OT networks.

AliExpress (Hardware Keys)
*Mandate* this for all Domain Admins. Get FIDO2/YubiKey-compatible keys. They stop the *initial phish* from succeeding. TurboVPN
Secure your admin access. Your RDP/SSH access for *your admins* should be locked down. Rewardful
Run a bug bounty program. Pay white-hats to find flaws *before* APTs do.

CyberDudeBivash Services & Apps

We don't just report on these threats. We hunt them. We are the "human-in-the-loop" that your automated EDR is missing.

• Managed Detection & Response (MDR):** This is the *solution*. Our 24/7 SOC team becomes your Threat Hunters, watching your EDR logs for these *exact* "IT-to-OT" pivot TTPs.
• Adversary Simulation (Red Team): This is the *proof*. We will *simulate* this "IT-to-OT" kill chain to prove your segmentation is a myth.
• Emergency Incident Response (IR): You found this TTP? Call us. Our 24/7 team will hunt the attacker and eradicate them.
• PhishRadar AI — Stops the phishing attacks that *initiate* the breach.
• SessionShield — Protects your *admin sessions* from the *credential theft* that happens after this breach.

Book Your FREE 30-Min Assessment Explore 24/7 MDR Services Subscribe to ThreatWire

FAQ

Q: What is a "Data Wiper"?
A: It's a *geopolitical* weapon, not a *financial* one. Unlike ransomware (which *encrypts* data for a ransom), a wiper (like "HARVEST-FALL" or "NotPetya") *destroys* and *corrupts* data *permanently*. The goal is *destruction*, not profit.

Q: What is IT vs. OT?
A: IT (Information Tech) is your "carpeted" space: laptops, email, servers, EDRs. OT (Operational Tech) is your "factory" space: PLCs, SCADA, food safety systems, production lines. CISOs *mistakenly* believe there is an "air-gap" between them. Attackers *know* there is not.

Q: Why does my EDR/Antivirus miss this attack?
A: Because your EDR is *not installed* on your OT network. The attacker *bypasses* your EDR by *pivoting* from a "trusted" IT server (that *is* monitored) to an "unmonitored" OT server. This is a Network Segmentation and MDR failure.

Q: What's the #1 action to take *today*?
A: AUDIT. Run the "Audit Validation" test *today*. `nmap` your OT network *from* your IT network. If you *can* see it, you are *critically vulnerable*. Book our Free 30-Minute Assessment and we will help you build the "Firewall Jail" plan.

Timeline & Credits

This "IT-to-OT Pivot" TTP (T1021) is an active, ongoing campaign by nation-state APTs (like Sandworm) targeting CNI.
Credit: This analysis is based on active Incident Response engagements by the CyberDudeBivash threat hunting team.

References

• MITRE ATT&CK: T1021 (Remote Services)
• MITRE ATT&CK: T1485 (Data Destruction)
• CyberDudeBivash CNI/OT Red Team Service

Affiliate Disclosure: We may earn commissions from partner links at no extra cost to you. These are tools we use and trust. Opinions are independent.

CyberDudeBivash — Global Cybersecurity Apps, Services & Threat Intelligence.

cyberdudebivash.com · cyberbivash.blogspot.com · cryptobivash.code.blog

#DataWiper #Ransomware #Geopolitical #CNI #SCADA #OTsecurity #EDRBypass #LotL #CyberDudeBivash #IncidentResponse #MDR #ThreatHunting #CISO