While destructive attacks like wiper malware and various forms of ransomware are nothing new at this point, the creeping spread in the use of destructive malware by more – and more dangerous – groups gives me pause. Such attacks were historically primarily criminal, financially motivated activities only occasionally undertaken by government-affiliated groups to deliver a political message, cover the tracks of a more sophisticated espionage operation, or distract from a more important second operation.
Coupled with the move to better anti-forensic techniques by attackers, destructive malware poses a much different business risk than it did even a few years ago despite superficial similarities in function. What were once cyber espionage tools in the hands of spies are increasingly weapons in the hands of uniformed military units, and destruction is often their objective outright rather than incidental or a means of accomplishing another goal.
As US Cyber Command and NATO allies work together to spread once-secret hacking techniques and tools within the alliance, other major cyber players with global allies – Russia, China, and Iran – will look to do the same with their allies and friendly non-state groups. Likewise, all four nations have faced limited diplomatic consequences for alleged destructive and disruptive cyberattacks, probably incentivizing their future use.
For organizations targeted for attack, particularly by sophisticated nation-state APT groups like Russia’s Sandworm Team or North Korea’s APT38, the deployment of destructive malware or use of cyber operations to alter industrial production or safety systems means that a small vulnerability or slow response time can quickly cascade into real-world consequences. In the past, such incidents might have caused only temporary disruption to a website or limited financial loss. Already we have noticed a turn by those deploying ransomware away from large-scale lock-ups of enterprises that were easier for attackers but often had minimal impact on targets and toward slower, long-term targeting of a company’s most valuable databases and operations-support systems for ransomware deployment.