ESET's Global
Security Evangelist Tony Anscombe expands on his theory
One might wonder why one of the final
mainstage presentations at RSA 2018 had “Weapons of Mass Destruction” (WMDs) in
its title? When ESET Global Security Evangelist Tony Anscombe finished with his
presentation, however, no one was asking that question; instead what emerged
was a better understanding of how the evolution of malware has led us to the
digital weaponry of today and tomorrow.
The central question of Anscombe’s
presentation was: Can malware be used as a weapon of mass destruction? He
contends that it can and notes that we are at a tipping point where malware
evolution has led us to the latest development in cyberweapons; this is what
Anscombe coins “Malware of Mass Disruption.” He defines this as the following:
·
Any
malware that targets infrastructure and thus could damage or disable services
and could potentially cause death or serious bodily injury
·
Any
malware designed to inhibit first responders or emergency response from
providing lifesaving treatment
·
Any malware
that targets health care or medical devices and could potentially cause death
or serious bodily injury
·
Any
software that is intended to damage or disable medical systems or devices
Over the years, we have had some close calls
that give a glimpse into the effect digital weapons can have. In 2017, the
United Kingdom’s National Health Service (NHS) was a major victim of the WannaCryptor
(aka WannaCry, WCrypt) attack [ESET detects this as
Win32/Filecoder.WannaCryptor.C, or less formally as “WannaCryptor.C” — Ed.].
According to a government
report, at least 6,912 NHS appointments were canceled, with
estimates that the total may be as high as 19,000. These numbers only reflect
NHS hospital appointments – the impact on local physician visits is unknown.
Within this number are 139 urgent referrals of patients who potentially have
cancer.
It would not be unreasonable to consider a
malware attack a ‘weapon’ when it does in fact affect the urgent health care of
patients. If the WMD definition and title were adjusted to become Malware of
Mass Disruption, then the WannaCryptor
attacks would certainly be categorized this way.
Perhaps one of the most notorious attacks to
cause disruption to society on a large scale was the 2015 malware known as BlackEnergy,
which caused power outages in Ukraine, impacting 225,000 customers for up to
six hours. The malicious actors responsible attacked three regional electric
power distribution companies with synchronized and coordinated attacks within
30 minutes of each other and impacted multiple central and regional facilities.
And that was only the beginning. In 2016, a
new attack, later attributed to malware dubbed Industroyer,
deprived the capital city of Ukraine, Kiev, of power for approximately one
hour. This attack differed significantly from BlackEnergy as it targeted
Industrial Control Systems (ICS). By exploiting weaknesses in the software of
the ICS devices, the attackers were able to control electricity substation
switches and circuit breakers directly, ultimately controlling the delivery of
power.
The critical infrastructure of a city might
just be the crown jewel to a nation-state actor. Attacking the power
infrastructure of a city, country or even a building has the potential to cause
huge disruption, and, depending on the circumstances, endanger life. Imagine if
an intensive care unit of a hospital lost power; the outcome could be fatal. While
this is a hypothetical scenario, it may not be far from reality – if a
cybercriminal can switch off the power to a city, they probably have the
ability to switch off the supply to a building and, with the right resources,
change the way any backup systems may operate.
“Using the word ‘weapon’ in association with
malware may be a step too far for some people,” noted Anscombe. But he points
out an important malware history lesson, bringing attention to the first major
attack against infrastructure, dubbed Stuxnet. “This showed, really for the
first time, that a nation state could actually attack the infrastructure of
another nation state by using malware as the tool or weapon,” he said.
Since prominent infrastructure attacks like
Stuxnet, various examples point to a conclusion that malware has the potential
to “be a weapon in the arsenal of any government or organization that wants to
inflict damage or disruption on another person, organization or country – or
the world as a whole,” he pointed out.
From notorious attacks like WannaCryptor, to
aggressive blackouts caused by BlackEnergy and Industroyer, to attacks that
potentially affect election outcomes, the reality exists that the bad actors
creating and utilizing malware are disrupting our sense of safety, security and
democracy.
“I will leave you to decide whether to call
these weapons,” he concluded.