Over that past twenty years, destructive cyber-attacks have increased significantly, especially ones conducted by nation states. Given the level of damage they cause, you might expect them to be carried out using a sophisticated toolset. However, in most of the cases we have seen attacks delivered using relatively unsophisticated tools. Often, we see basic techniques used when delivering destructive malware, such as boot record wipers. Even though these techniques are highly effective they are relatively simple to code. More often it is the softer targets such as civilians and private corporations who are targeted. Unfortunately, when nation states leverage cyber-attacks, the private sector often pays the price.
The general trend since 2010 has been the use of simple but destructive malware, with the most recent example being NotPetya. This malware was composed of a basic destructive module which was paired with a sophisticated back-door. The offensive file was not overly sophisticated nor did it contain innovative capabilities. We expect to see this trend continue as threat actors become inspired by the lack of consequences for running this type of attack.
The early days of destructive cyber attacks
Even as far back as the early 1980’s we were seeing destructive cyber-attacks. One of the earliest was the Siberian pipeline hack where the French government alerted the CIA that the Soviets had infiltrated some US laboratories, factories and government agencies. The CIA had learned about a software shopping list which the Russians needed to operate a natural gas pipeline in western Ukraine, and fooled the Soviets into purchasing software with built-in flaws. The software was used to operate pumps, turbines and valves within the pipeline, but with the built-in flaws the pumps, turbines and valves would malfunction at random times. This caused the pressure within the pipeline to become too great for the joints to hold and resulted in one of the worlds largest non-nuclear explosions. Thankfully there were no casualties but part of the Trans-Siberian Pipeline was vaporised as a result of the explosion.
There have been numerous destructive attacks since the 1982 Siberian Pipeline explosion, the most recent being the infamous NotPetya ransomware attack. The self-propagating malware infected approximately 25000 computers with the aim of wiping their hard drives when the machines rebooted. These kinds of destructive cyber attacks are often used by nation states for a number of reasons such as, in retaliation to a previous action, to covertly disrupt operations or simply to demonstrate annoyance. There is little reason for nations to stop this behaviour as there is a comparative lack of consequences.
Getting away with it
Governments are often unwilling to retaliate after a destructive cyber-attack as they can escalate quickly and cross the line into physical attacks. Because of this fear, governments can be unwilling or unable to cut off parts of the internet to this type of attack. As such, we are unlikely to see any governments with large offensive and defensive capabilities push for a policy change. If the equivalent force were used in the physical world there would be severe consequences, some nations are failing to take cyber seriously. Because of the global reach a cyber attack can have, governments are rushing to use these capabilities. Governments are still attempting to understand cyber space and the real world effects of cyber-attacks.
What the future holds
If we continue to allow these destructive cyber attacks to go unpunished, we should expect to see nations experimenting with their attack capabilities and honing their abilities to use them for numerous purposes. It is likely that we will see an increase in attacks of low sophistication in the coming years, with non-government institutions being useful targets for advancing a hostile nations interests.
DDoS attacks are currently the most widely used tool for hacktivists. However, with more destructive tools continuing to be used, our society is becoming numb to reports of new cyber-attacks. For those criminals wanting to develop their business model, launching larger and longer lasting attacks combined with the ability to increase obfuscation will allow them to move into the DDoS space.
Unfortunately, it doesn’t look as though we can rely on governments to stop using their full cyber capabilities, and as such we will likely see an increase in attacks from non-state actors with an increase in in arrests and prosecutions. However, there have been a couple of ideas discussed to help manage this situation, although there is a possibility that they will only cause a more difficult environment for all involved.
Deterrence by denial is a phrase which we have been hearing increasingly more often. This is only achievable if cyber security evolves to a state where companies can implement defensive technologies which can truly rival that of the attacker. Hacking back is another concept which gets discussed every so often, and there is even a bill in the U.S. House of Representatives which would allow this method to be used only within limited boundaries. Unfortunately, policies and procedures are unlikely to stop this growing threat. The criminals which distribute destructive cyber attacks have significant motivations and resources and given enough time, will be able to work through any combination of security technology.
Owning the battlefield
It is essential that businesses understand why they could be potential targets to nation states as it will enable them to apply effective counter measures. It is also important to remember that destructive cyber-attacks are just a small subset of the overall threats which organisations face.
From the moment, an attacker enters a network it is a race against the clock for a security team to detect and prevent them from causing destruction to the network and information. Currently, the time it takes from breach to detection is measured in weeks if not months – this is far too long. If we are to make a significant reduction in detection time we need to use intelligence, hunting and active monitoring. We need to perfect these technologies now if we are to successfully defend the private sector against further destructive attacks.
Ross Rustici, Senior Director, Intelligence Services, Cybereason
Image Credit: Alexskopje / Shutterstock