On 12 Oct 2021, Josh Meyer, @JoshMeyerDC, wrote an article titled, “The next big cyberthreat isn’t ransomware. It’s killware. And it’s just as bad as it sounds.” Is that just “FUD” – in this case, the media writing and using hyperbole contributing to Fear, Uncertainty, and Doubt – or could a cyberattack really have fatal consequences? The short answer, it isn’t hyperbole at all. But let’s take a step back and understand what we’re talking about.
Blended Threats, a Little Background.
In May of 2017, following the WannaCry ransomware outbreak, we asked if there was a best way to capture cyber incidents with physical impacts. After some discussion we settled on the term “blended threats” and have been writing on that and conducting exercises around the country focused on that since.
A Blended Threat is a natural, accidental, or purposeful physical or cyber danger that has or indicates the potential to have crossover impacts and harm life, information, operations, the environment, and/or property.
In our March 2018 post we wrote, “How present are such blended threats? …consider a cyberattack on a facility – from a hospital to a Fortune 500 corporate headquarters – where physical systems are compromised, with so many networked systems that could potentially be (affected). In the case of Trident, the malware was deliberately deployed to manipulate emergency shutdown capabilities. Following observed attacks on energy facilities – such as in Ukraine, the potential for seriously consequential cyber-physical attacks on critical infrastructure, to include critical lifelines, is not just theoretical, but a real threat. While such capabilities may be initially limited to robust nation-states, history has shown that there is possibly nowhere that the idea of trickle-down economics has proven more real than in cybercrime, where what is once limited to a few eventually is employed by even unsophisticated threat actors. Whether by an inadvertent post (i.e., ‘Trisis has mistakenly been released on the open internet’) or an insider threat or hacking (such as the NSA enjoyed…), dangerous capabilities developed by the few seem to get into the hands of the many, potentially exposing physical systems to cyber threats by an increasing number of characters.”
Fast-forward to present, and we’ve written on a variety of blended threats on this blog. Some recent examples of those include:
- Emerging Blended Threats: From TDoS to Insider Threats, 04 Mar 2021
- Blended Threats: Did Florida’s Cyber Attack Whet Your Appetite for Better Preparedness and Security? 01 Mar 2021
- Blended Threats: When Ransomware Kills… 17 Sep 2020
- Blended Threats: Holding Buildings Hostage, 11 Aug 2020
- And we’ve written a lot more on the blog and discussed them on our podcasts.
Coming Back to “Killware.”
In his article, Josh wrote, “As most Americans are still learning about the hacking-for-cash crime of ransomware, the nation’s top homeland security official is worried about an even more dire digital danger: killware, or cyberattacks that can literally end lives… (the) attack on the Oldsmar, Florida, water system (see the second bullet above) in February was intended to distribute contaminated water to residents, ‘and that should have gripped our entire country,’ (Homeland Security Secretary Alejandro) Mayorkas said… U.S. officials are concerned about the rash of ransomware attacks on hospitals, which have had to divert patients and cancel or defer critical surgeries, tests and other medical procedures…” That concern had already become far too real – see the third bullet above – and was further reinforced this year and summarized in a Wall Street Journal article on 30 Sep, “A Hospital Hit by Hackers, a Baby in Distress: The Case of the First Alleged Ransomware Death.”
Before continuing, let’s pause and say, yes, the idea of “killware” is real, but the name is maybe a little much. Not necessarily an exaggeration but invariably contributing to FUD-filled environment, like “cyber Pearl Harbor” and other such terms. However, the threats Josh raises are very real, and they’re not going away. A few examples of recent incidents and warnings of blended threats coming in as cyber threats but posing serious physical consequences include:
- Ongoing Cyber Threats to U.S. Water and Wastewater Systems Sector Facilities, CISA, FBI, EPA, and NSA, with input from WaterISAC and Dragos, 14 Oct 2021. The joint Cybersecurity Advisory (CSA) details “ongoing malicious cyber activity—by both known and unknown actors—targeting the information technology (IT) and operational technology (OT) networks, systems, and devices of U.S. Water and Wastewater Systems (WWS) Sector facilities. This activity—which includes attempts to compromise system integrity via unauthorized access—threatens the ability of WWS facilities to provide clean, potable water to, and effectively manage the wastewater of, their communities.”
- Woman Allegedly Hacked Flight School, Cleared Planes With Maintenance Issues to Fly, Vice News, 12 Oct 2021, by Lorenzo Franceschi-Bicchierai (@lorenzofb). “A woman allegedly hacked into the systems of a flight training school in Florida to delete and tamper with information related to the school’s airplanes. In some cases, planes that previously had maintenance issues had been “cleared” to fly, according to a police report. The hack, according to the school’s CEO, could have put pilots in danger… ‘Between the time the data was altered and fixed, it was a situation that could have endangered human life…’”
- Smart Cities, an Increasing Attack Surface. In a recent Chatham House speech at Cyber 2021, Lindy Cameron, the CEO of the UK’s National Cyber Security Centre (NCSC) hinted at the opportunities for more consequential attacks as she stated, “In the coming years, society will benefit hugely from developments that make our lives more efficient and greener – such as smart cities. But it is inevitable that our adversaries – whether they are nation-state or cyber criminals – will seek to exploit the opportunities that these changes bring. And when they are successful, the potential impacts are much greater than the attacks we see today. So, we must ensure we are in a strong position to safely take advantage of these emerging technologies.”
- Joint Statement of the Ministers and Representatives from the Counter Ransomware Initiative Meeting October 2021, 14 Oct 2021. And as this post is being written, the U.S. has just wrapped up a virtual gathering of 30 nations discussing “the escalating global security threat from ransomware.” In a 14 Oct joint statement, the Ministers and Representatives of those countries stated, “From malign operations against local health providers that endanger patient care, to those directed at businesses that limit their ability to provide fuel, groceries, or other goods to the public, ransomware poses a significant risk to critical infrastructure, essential services, public safety, consumer protection and privacy, and economic prosperity.”
The threats are very real, and the idea that a blended threat can be fatal isn’t sci-fi, it’s our reality and the threat and risks will increase as we continue to put more and more online. At Gate 15, we’ve been writing on this concern for years, and we’ve been working with partners like REN-ISAC and others to encourage preparedness for the wide array of blended threats.
Understand the Threats.
Assess the Risks.
Take action! Our team is here to help you build the relationships and capabilities you need and to assist in the development of plans, training, and exercises to support your ability to prevent, protect against, mitigate, respond to, and recover from the threats and hazards that pose the greatest risk to your organization in our complex, all-hazards environment.