When the details of Crash Override emerged earlier this summer, many argued it would be the wake-up call to finally forewarn of potential digital threats to critical infrastructure. However, when placing last December’s attack on the Ukrainian power grid in a broader context, it quickly becomes apparent that this will likely neither be a wake-up call nor will it be an isolated event. The 2010 discovery of Stuxnet, malware which damaged centrifuges at Natanz, was just the first in a series of destructive malware deployments leading up to Crash Override, and more recently, NotPetya. During this time, destructive malware has targeted a range of organizations, including Saudi Aramco in 2012; South Korean media and finance companies in 2013; a German Steel Mill, Sands Casino, and Sony in 2014; the Ukrainian power grid in 2015 and again in 2016; and Saudi government agencies in late 2016. These attacks fall into two categories. The first and less sophisticated type simply targets filesystems and hard disks to render data and systems inaccessible, often with a built-in propagation component. These attacks often cause significant secondary impacts on the physical world, such as shutting down business operations or halting employee payment mechanisms. The second and more sophisticated kind of attacks directly impacts physical systems, as was the case with Stuxnet and Crash Override. These attacks, while rare and difficult to pull off, illustrate the potential impact if an attacker truly seeks to create widespread damage through cyber access. The deployment of destructive malware, while still rare, is noticeably prevalent among interstate rivals. Interstate rivalries are those country-pairs that are the most conflict-prone and are responsible for a disproportionate share of disputes in the international system. By looking through an interstate rivalry lens, it is apparent that the deployments of wiper malware are not independent events but are inter-connected events across space and time. The deployment of wiper malware is tightly linked to geopolitical, strategic objectives and the state of affairs between these enduring rivalries. We’ll discuss this interplay between destructive malware and interstate rivalries at BSidesLV 2017. We’ll briefly walk through the incremental expansion of destructive malware, highlighting the prominence and technical details of destructive malware from late 2016 and into 2017, including Shamoon 2.0, StoneDrill and NotPeyta. We will also trace the deployment of destructive malware within geopolitical tensions among three dominant interstate rivalries, each of which have very different power symmetry: Russia and Ukraine, Iran and Saudi Arabia, and North and South Korea. Finally, we’ll look ahead into what is next both for destructive malware and what other rivalries may next emerge. As we’ll discuss, as long as geopolitical tensions remain high between these adversaries, destructive malware is likely to persist as a staple tactic within the rivalries and potentially elsewhere. Please join us on Tuesday, July 25 at 11:30 AM as part of the Common Ground Track in the Tuscany Suites. About the Authors:
Andrea Little Limbago is the Chief Social Scientist at Endgame, researching and writing on geopolitics and cybersecurity, and data science as well as directing the company’s technical content. She has previously worked in academia and at the Department of Defense. Andrea earned a PhD in Political Science from the University of Colorado at Boulder and a Bachelor’s degree from Bowdoin College.
Mark Dufresne is the Director of Threat Research and Adversary Prevention at Endgame, leading Endgame’s research to understand cyber threats and develop capabilities to detect and prevent malicious adversary techniques. He previously worked over a dozen years at the NSA as an Operations Chief and Manager. Mark is a graduate from Johns Hopkins University, where he earned his Master’s in Security Informatics; and the University of Minnesota-Twin Cities, where he earned a B.S. in Computer Science. Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.