Cyber warfare shows scary signs of where malware is headed

While you might think that what a Russian APT group does to attack Ukrainian infrastructure has little to do with the life of an IT Admin, but they are providing a snapshot of where the battle against cyber crime is headed.

06:34, Raleigh, North Carolina – You can probably guess what kind of blog post this is going to be if I’ve already fired up the Internet and am hunting for a suitable quote from the script of the classic 1999 film “Hackers”.

PLAGUE (As if to a child): “The little boat flipped over. A virus planted in the Gibson computer system claimed responsibility.”

It’s certainly a grim day when your business is impacted by a ransomware attack. Just ask the now infamous Hollywood Presbyterian Medical Center, located in Los Angeles, which both the cyber security and mainstream media proclaimed had an initial ransom demand of US $3.6 million dollars (until someone did a proper Bitcoin conversion and realized it was actually $17,000 – still a very hefty sum).


Given the success of this particular criminal gang, either the same group or a likely copycat group, managed a couple more paydays in Lukas Hospital in Neuss Germany and the Klinikum Arnsberg hospital in North Rhine-Westphalia Germany. Clearly the prospects for IT security and robust backup solutions have never looked more promising in the medical sector – a vertical well know for atrociously vulnerable networks and the value of the data they store. I’ve written a soon-to-be-released white paper on IT Service Management and Security Awareness in healthcare, based on my experiences these very issues for IT in healthcare.

I chose the above line from Mr. Eugene Belford, AKA The Plague, because there are some developments in the cyber threat landscape, especially as it relates to Industrial Control Systems (ICS), which are disconcerting. If you think shutting down a hospital for 10 days is serious, things got a little bit more dangerous just a couple of months ago.

At the end of December last year, some major disruptions to the Ukraine’s power generation and airport infrastructure were broadly reported in the media. According to reports and investigations by a US interagency cybersecurity team, the power outages were caused by “remote cyber intrusions at three regional electric power distribution companies”. While other organizations, including those in the critical infrastructure sector, also experienced intrusions, they did not experience the same operational impacts.

Reports from ICS-CERTS suggest that the initial attacks came from a fairly common piece of malware called BlackEnergy. However, once the use of that malware was detected the attack changed, with the new payload based on a freely available open source backdoor written in Python. This program was specifically engineered and developed to maintain a stealthy and persistent hold on infected systems.

While the malware and its effects may have changed, the attack vector is all too familiar. The hackers used spear-phishing emails containing malicious XLS files that tricked the recipient into ignoring the built-in Microsoft Office security warnings. The macro then launched a Trojan that attempted to execute a final payload from a remote server. Claims that Sandworm Team were behind the attack indicate that the Russians – or their hacker sympathizers – may well be practicing the art of cyber warfare on critical infrastructure. Ever since the beginning of the crisis in Ukraine, the cyber war has continued to play a part in disrupting civilian networks.

The US Cyber Command is also displaying significant capability in this area. US Defense Department leaders recently announced that the country’s forces were participating in a coalition operation with Iraqi and Kurdish forces to recapture the IS-held the city of Mosul. At the leading edge of this effort is an ongoing cyber warfare operation against the communications infrastructure. This may well be the first time that the US has openly admitted that it is using network-based electronic attacks as an integrated part of a military operation.

Ever since Operation Olympic Games unleashed Stuxnet on the Iranian nuclear program, the US and its allies, such as the UK, have slowly revealed massive cyber warfare capability and advanced espionage techniques. This program has received extensive information security and mainstream media press coverage, yet even as far back as 1991 the Bush administration contemplated a cyber attack on the Iraqi banking infrastructure. Clearly, cyber warfare capability is almost as old as dial-up Internet access.

Information about the development and execution of cyber warfare capabilities has been revealed through Snowden and various de-classified documents. Indeed, news broke recently of a follow-on campaign of digital mayhem that was being prepared if the Iranian nuclear weapons talks had broken down. Oddly enough in LinkedIn profiles, in biographies, and job postings for cyber warfare operators, a lot of folks appear to have been doing a lot of things in cyber offensive operations for quite some time.

The question, of course, is how do cyber warfare events like the above, in far off places and in large organizations impact on the lives of managed services providers (MSPs) and IT Admin providing services to small and medium business?

The answer is that they should serve as a warning – a very serious warning – of vicious malware yet to be seen. The reality of cyber warfare is that no matter how targeted it is, there will very likely be collateral effects. Stuxnet spread beyond Iran and infected systems far across the world. Although it may feel daunting help is at hand. Check out our Cyber Threat Guide for IT tips and technology that can help you face down the worst the Internet can throw at a business.

Download the Cyber Threat Guide ebook here (requires registration).

Ian Trump HeadshotIan Trump Headshot Ian Trump is security lead for LOGICnow, you can follow Ian on Twitter at @phat_hobbit.

Lee Davy/Flickr
Related Posts