Critical Infrastructure, Malware
What happens to cyberweapons after a cyberwar?
11 Aug 2023
3 min. read
There are precious few weapons invented that weren’t reused later for the next horrible thing, even if we promise the current one is the “war to end all wars”. But they never are. With one notable exception – turning the global troposphere into a nuclear melty firecracker that cooks us all – there seems to be no end to the lengths to which we humans will go to destroy others, and sometimes ourselves.
Here at Black Hat, there is an undercurrent beneath the surface about the dual-purpose weapons being trotted out, being used for both good and evil, depending on perspective. One nation-state’s hero is another’s villain, after-all.
At ESET, we remain dedicated to protecting technology. More specifically, we believe our job is to protect technology and leave the determination of intent to governments. We’re technologists at heart, and here at Black Hat, there’s a lot of heart.
A summer camp for hackers
People call Black Hat as the “Summer Camp for hackers”, and between Black Hat, DEF CON (and BSides for those in the know), there is a maelstrom of doodads, widgets, and no small haul of code to tie them all together for both attackers and defenders. Part of the logic is that by understanding how a thing is built you can better understand how to defend it.
There are a lot of techniques floating around Black Hat that seek to do as much physical and structural damage to an enemy as possible. But do they make us all less safe? Hopefully, they make us more aware – and that can make us safer.
We welcome some sophistication in the systems used to keep folks safe, often through sharing, trust groups, and red/blue teaming to “sharpen the sword.” We hope this results in a safer future world for everyone, the kind of world we want to live in.
A digital arsenal means unlimited ammo
When we talk about these cyberweapons, what we are talking about is malicious software (malware), which is conceptually (philosophically?) not very different from the first computer viruses – it’s just orders of magnitude more complex. And malware is something that ESET, and companies like us, have been protecting computers against for years.
What is novel about the use of malware in war is the ease with which it can be studied, copied, and turned around quickly to be used in attacks by, well, anyone. An example of this is the Stuxnet worm from 2010: When found, the worm made use of multiple zero-day vulnerabilities, including the ability to automatically run from removable media such as USB flash drives, usually via specially crafted Microsoft shortcut (LNK) files. Within a matter of weeks, what was initially thought of as a sophisticated and expensive-to-develop attack was being used by bottom-tier script kiddies to attack their schools’ networks. And this was over a decade ago, long before most nation-states were actively looking for malicious code to re-weaponize for use against their adversaries. Today, it is likely such reverse engineering and repurposing would only take nation-state adversaries a number of hours to a handful of days at most.
This does not include accidental (or otherwise) spillover, either, which happened in 2017, when the NotPetya ransomware, spread through a backdoor in Ukrainian tax preparation software, quickly made its way around the globe through businesses whose Ukrainian branches used the software.
What does this all mean? Largely that the use of malware in the cyber domain is a double-edged sword, and one that can come back to attack the attacker very quickly. If an attacker did decide to use malware as a cyberweapon, it seems likely they would first close off their own country’s internet. Such a sudden action could serve as a sign of an imminent “first strike,” or at least an attempted one.
Surmising intent has always been tough, it’s why wars often get started, but by being aware of the latest cyber developments and research that an actor could have at their disposal, the defense gets that much easier.
Before you go: Cyber war or Cyber hype?