Alexis Rapin
@alexis-rapin.bsky.social
Strategic Cyber Threat Intelligence Analyst @esetresearch.bsky.social // Research Fellow at Chaire Raoul-Dandurand en études stratégiques et diplomatiques (UQAM) // At the confluence of cyber & geopolitics
[PPS; Humble self-promotion] I'd like to think this paper may prove interesting to @staillat.bsky.social @louispetiniaud.bsky.social @jonrlindsay.bsky.social @drmagomez.bsky.social @maxwsmeets.bsky.social @andrewdwyer.bsky.social @jamiemaccoll.bsky.social (trying to build on yall's great work 🫡).
November 21, 2025 at 5:33 PM
[PPS; Humble self-promotion] I'd like to think this paper may prove interesting to @staillat.bsky.social @louispetiniaud.bsky.social @jonrlindsay.bsky.social @drmagomez.bsky.social @maxwsmeets.bsky.social @andrewdwyer.bsky.social @jamiemaccoll.bsky.social (trying to build on yall's great work 🫡).
[PS] I should add a last, and very much contextual remark: I wrote this article well before assuming my current professional responsibilities. This article is in no ways a reflection of my work at ESET, or of what the company might or might not think of the issue at hand 😉
November 21, 2025 at 5:33 PM
[PS] I should add a last, and very much contextual remark: I wrote this article well before assuming my current professional responsibilities. This article is in no ways a reflection of my work at ESET, or of what the company might or might not think of the issue at hand 😉
That's pretty much the article's concluding (and cautionary) remark: Although wipers are clearly no wonder weapon at the moment, they are far from having expended their evolutionary potential, and nation-states will likely prove very creative in how to employ them in the future... (END)
November 21, 2025 at 5:33 PM
That's pretty much the article's concluding (and cautionary) remark: Although wipers are clearly no wonder weapon at the moment, they are far from having expended their evolutionary potential, and nation-states will likely prove very creative in how to employ them in the future... (END)
(25/25) b) Wipers may possibly deliver greater results when used *in conjunction with other tools* (such as Info Ops, EW, or even kinetic). They may be used to distract an adversary from other operations (against OT for instance), to frustrate remediation efforts, etc. Possibilities are plenty...
November 21, 2025 at 5:33 PM
(25/25) b) Wipers may possibly deliver greater results when used *in conjunction with other tools* (such as Info Ops, EW, or even kinetic). They may be used to distract an adversary from other operations (against OT for instance), to frustrate remediation efforts, etc. Possibilities are plenty...
(24/25) I conclude the study with 2 important caveats.
a) Some kind of targets may prove more conducive to spill-over effects than others. The dramatic 2023 Kyiv Star attack, for instance, suggests that wiper warfare may harbor some sort of Clausewitzian "centres of gravity" (telcos, for instance).
a) Some kind of targets may prove more conducive to spill-over effects than others. The dramatic 2023 Kyiv Star attack, for instance, suggests that wiper warfare may harbor some sort of Clausewitzian "centres of gravity" (telcos, for instance).
November 21, 2025 at 5:33 PM
(24/25) I conclude the study with 2 important caveats.
a) Some kind of targets may prove more conducive to spill-over effects than others. The dramatic 2023 Kyiv Star attack, for instance, suggests that wiper warfare may harbor some sort of Clausewitzian "centres of gravity" (telcos, for instance).
a) Some kind of targets may prove more conducive to spill-over effects than others. The dramatic 2023 Kyiv Star attack, for instance, suggests that wiper warfare may harbor some sort of Clausewitzian "centres of gravity" (telcos, for instance).
(23/25) Beyond that point however, more durable, strategic effects prove elusive (so far). Wiper attacks do not easily generate systemic disruptions, widespread panic or broader coercive effects. Their impacts generally prove too brief and/or too localized for such dynamics to take place.
November 21, 2025 at 5:33 PM
(23/25) Beyond that point however, more durable, strategic effects prove elusive (so far). Wiper attacks do not easily generate systemic disruptions, widespread panic or broader coercive effects. Their impacts generally prove too brief and/or too localized for such dynamics to take place.
(22/25) So, at the end of the day, what are wipers good for? Wiper attacks prove undisputably effective in:
a) Consuming an organisation’s time and resources
b) Inflicting financial losses (on average, $198 million/org. throughout our 6 cases)
c) Generating bad publicity for targeted orgs
a) Consuming an organisation’s time and resources
b) Inflicting financial losses (on average, $198 million/org. throughout our 6 cases)
c) Generating bad publicity for targeted orgs
November 21, 2025 at 5:33 PM
(22/25) So, at the end of the day, what are wipers good for? Wiper attacks prove undisputably effective in:
a) Consuming an organisation’s time and resources
b) Inflicting financial losses (on average, $198 million/org. throughout our 6 cases)
c) Generating bad publicity for targeted orgs
a) Consuming an organisation’s time and resources
b) Inflicting financial losses (on average, $198 million/org. throughout our 6 cases)
c) Generating bad publicity for targeted orgs
(21/25) When 🇷🇺 wipers started raining on Ukraine in early 2022, Kyiv’s critical systems and databases were swiftly offered a safe haven within US Big Tech's heavily protected datacenters. Various sources indicate that this rapid mass migration saved 🇺🇦 from digital disaster. -> Decentralization.
November 21, 2025 at 5:33 PM
(21/25) When 🇷🇺 wipers started raining on Ukraine in early 2022, Kyiv’s critical systems and databases were swiftly offered a safe haven within US Big Tech's heavily protected datacenters. Various sources indicate that this rapid mass migration saved 🇺🇦 from digital disaster. -> Decentralization.
(20/25) Thirdly, computer systems also prove to be very *decentralizable*. As opposed to a physical stockpile or a production line, you can move them around quickly and with little logistical hurdles. Many of their components can be dispersed, delocalized and possibly sanctuarized.
November 21, 2025 at 5:33 PM
(20/25) Thirdly, computer systems also prove to be very *decentralizable*. As opposed to a physical stockpile or a production line, you can move them around quickly and with little logistical hurdles. Many of their components can be dispersed, delocalized and possibly sanctuarized.
(19/25) When Aramco was hit by Shamoon, they used their fleet of private jets to fly representatives directly to Asian electronics factories. They purchased 50’000 hard disks straight out of the production line, to replace wiped ones. They were there, plenty and ready to use. -> Duplicability.
November 21, 2025 at 5:33 PM
(19/25) When Aramco was hit by Shamoon, they used their fleet of private jets to fly representatives directly to Asian electronics factories. They purchased 50’000 hard disks straight out of the production line, to replace wiped ones. They were there, plenty and ready to use. -> Duplicability.
(18/25) Secondly, computer systems also happen to be very *duplicable*, materially speaking. Most digital infrastructures rely on widespread, mass-produced, standardized equipment. Their basic building blocks thus prove relatively easy to replace (much more so than high-precision machinery, for ex).
November 21, 2025 at 5:33 PM
(18/25) Secondly, computer systems also happen to be very *duplicable*, materially speaking. Most digital infrastructures rely on widespread, mass-produced, standardized equipment. Their basic building blocks thus prove relatively easy to replace (much more so than high-precision machinery, for ex).
(17/25) When NotPetya hit Maersk, they found out that a⚡️outage had helped preserve one last backup of their domain controllers at their Ghanaian office. The backup was flown back to London, where 600 IT people worked 24/7 and reconstructed the network fairly quickly. That's replicability right there
November 21, 2025 at 5:33 PM
(17/25) When NotPetya hit Maersk, they found out that a⚡️outage had helped preserve one last backup of their domain controllers at their Ghanaian office. The backup was flown back to London, where 600 IT people worked 24/7 and reconstructed the network fairly quickly. That's replicability right there
(16/25) First, the relative immateriality of information systems means they prove to be highly *replicable* thingies. As long as a virtual image of an organization’s network has been preserved somewhere (a backup, that is), it can be recreated from scratch in a surprisingly short timespan.
November 21, 2025 at 5:33 PM
(16/25) First, the relative immateriality of information systems means they prove to be highly *replicable* thingies. As long as a virtual image of an organization’s network has been preserved somewhere (a backup, that is), it can be recreated from scratch in a surprisingly short timespan.
(15/25) How come effects so rarely cascade down to the systemic level? The answer obviously varies from one case to another... but I identified what I believe to be *3 important factors of digital resilience*, which targeted organisations often managed to leverage in one form or another.
November 21, 2025 at 5:33 PM
(15/25) How come effects so rarely cascade down to the systemic level? The answer obviously varies from one case to another... but I identified what I believe to be *3 important factors of digital resilience*, which targeted organisations often managed to leverage in one form or another.
(14/25) Finally, there often seems to be a disconnect between the amount of digital damage suffered and the operational disruption observed. This suggests the impacts of a wiper attack may, perhaps, depend more on organisational factors (reactivity, resilience) than on purely digital determinants.
November 21, 2025 at 5:33 PM
(14/25) Finally, there often seems to be a disconnect between the amount of digital damage suffered and the operational disruption observed. This suggests the impacts of a wiper attack may, perhaps, depend more on organisational factors (reactivity, resilience) than on purely digital determinants.
(13/25) In other words, what makes wipers most likely to produce systemic effects is also what makes them more likely to be somewhat counter productive. Balancing the potency and controllability of a wiper, so as to obtain predictable results, remains a major challenge (🫡@lmaschmeyer.bsky.social).
November 21, 2025 at 5:33 PM
(13/25) In other words, what makes wipers most likely to produce systemic effects is also what makes them more likely to be somewhat counter productive. Balancing the potency and controllability of a wiper, so as to obtain predictable results, remains a major challenge (🫡@lmaschmeyer.bsky.social).
(12/25) The NotPetya exception is notable, but it also demonstrates yet another limitation of wipers: the virus achieved its results by being designed for maximal virulence... so much so that it ended up infecting major 🇷🇺 orgs (such as Gazprom and Rosneft, the Kremlin's biggest cash cows).
November 21, 2025 at 5:33 PM
(12/25) The NotPetya exception is notable, but it also demonstrates yet another limitation of wipers: the virus achieved its results by being designed for maximal virulence... so much so that it ended up infecting major 🇷🇺 orgs (such as Gazprom and Rosneft, the Kremlin's biggest cash cows).
(11/25) FOURTH, except for NotPetya, no real systemic effects are ever observed. In other words, wiper *very rarely* manage to disrupt a broader supply chain or industry. Attacks often remain confined to the targeted organisation, and prove too short-lived for impacts to extend further.
November 21, 2025 at 5:33 PM
(11/25) FOURTH, except for NotPetya, no real systemic effects are ever observed. In other words, wiper *very rarely* manage to disrupt a broader supply chain or industry. Attacks often remain confined to the targeted organisation, and prove too short-lived for impacts to extend further.
(10/25) THIRD, interestingly, no victim ever publicly reported losing data for good. This might reflect voluntary omission, but it's still striking. It suggests wipers perhaps act less as an information destruction mechanism than as temporary disruptors of dataflows. Information survives, somewhere.
November 21, 2025 at 5:33 PM
(10/25) THIRD, interestingly, no victim ever publicly reported losing data for good. This might reflect voluntary omission, but it's still striking. It suggests wipers perhaps act less as an information destruction mechanism than as temporary disruptors of dataflows. Information survives, somewhere.
(9/25) SECOND, this digital damage often *does* generate serious operational disruptions (and $ loss), but their intensity and duration widely vary – from 12h to several weeks. In most cases, the critical functions of the targeted org. (industrial processes for instance) remain unscathed.
November 21, 2025 at 5:33 PM
(9/25) SECOND, this digital damage often *does* generate serious operational disruptions (and $ loss), but their intensity and duration widely vary – from 12h to several weeks. In most cases, the critical functions of the targeted org. (industrial processes for instance) remain unscathed.
(8/25) There's obviously a lot to unpack here and I'll let people take a closer look at the paper itself. But a few major findings are worth highlighting. FIRST: yes, digital infrastructure does suffer a lot when a wiper hits (with up to 75% or 90% of an org. network destroyed in some cases...)
November 21, 2025 at 5:33 PM
(8/25) There's obviously a lot to unpack here and I'll let people take a closer look at the paper itself. But a few major findings are worth highlighting. FIRST: yes, digital infrastructure does suffer a lot when a wiper hits (with up to 75% or 90% of an org. network destroyed in some cases...)
(7/25) I then applied this model to our 6 cases of wiper attacks, assessing effects at each level, using data from media reports, public testimonies, post-mortems, etc. These admittedly paint a very incomplete picture of what happened, but still... what do we see? And what can we learn?
November 21, 2025 at 5:33 PM
(7/25) I then applied this model to our 6 cases of wiper attacks, assessing effects at each level, using data from media reports, public testimonies, post-mortems, etc. These admittedly paint a very incomplete picture of what happened, but still... what do we see? And what can we learn?
(6/25) The idea behind this "cascade model" is simple: wipers essentially destroy data, but to what extent does this affect an organization's activity, a wider industry or supply chain and, at the end of the day, a nation-state? Do effects actually cascade? And if so, under what conditions?
November 21, 2025 at 5:33 PM
(6/25) The idea behind this "cascade model" is simple: wipers essentially destroy data, but to what extent does this affect an organization's activity, a wider industry or supply chain and, at the end of the day, a nation-state? Do effects actually cascade? And if so, under what conditions?
(5/25) To measure the "real-world" impacts of these attacks, I first designed an impact assessment framework, in the form of a cascade. It is meant to model how digital effects (loss of data) transpose into organisational effects (operational disruptions), and then into systemic/societal effects.
November 21, 2025 at 5:33 PM
(5/25) To measure the "real-world" impacts of these attacks, I first designed an impact assessment framework, in the form of a cascade. It is meant to model how digital effects (loss of data) transpose into organisational effects (operational disruptions), and then into systemic/societal effects.