Editor’s note: This blog post is part of the upcoming Cyber Series. It sets the stage for subsequent posts by laying out some basic cyber concepts around malware.

Over the past decade, the cyber threat landscape has developed rapidly. Concerns about cyber-attacks have emerged as a globally recognized problem, reaching the list of top global threats in some countries in 2018. Today, cyber capabilities of various actors are advanced and, in many cases, mature. At the same time, intrinsic knowledge of the complex design and operation of the various types of malware, including the subtle differences, often remain elusive. This post introduces the basic notions and concepts around selected malware relevant for the analysis of cyber threats.

We cannot provide a complete taxonomy of all the different tools, threats and activities here. Rather, we intend to facilitate an accessible basic understanding of contemporary cyber-operations, focusing on the effects of selected malware, considerations regarding their design and the fundamental characteristics driving their spread.

***

The tools applied in recent cyber operations and their effects

The essential tools used in cyber operations are called ‘malware’ (‘malicious software’). Different types of malware exist. Some (perhaps most) are designed to carry out acts of espionage and data theft. Other malware is created for extorting ransom from the victim (‘ransomware’) or simply to destroy data, or, at times, to manipulate the industrial systems controlled by computers or digital systems.

Significant differences exist in the sophistication and mode of operation of well-known malware, such as the classic 1988 Morris worm exercise, and the 2017 WannaCry, or the 2010 Stuxnet and 2017 Triton/Trisis malware. One signal clearly emerges: the number and diversity of dangerous cyber-attacks appears to be growing. They are often well-planned, targeted and demonstrate technical sophistication.

In what follows, we will introduce and explain the functioning of four classes of malware. We focus on malware that was used in recent major cyber operations and which are especially relevant when considering potential humanitarian consequences of cyber operations. This categorization is necessarily a simplification of a complex reality: there are great differences not only between these different functional classes of malware but also between malware falling into the same functional class.

Ransomware

‘Ransomware’ is malware designed to make data unavailable—typically by encrypting it—and demanding a ransom to be paid from the victim. Thus, the use of ransomware often has a clear intention: monetary gain. Because of its impact, a particularly well-known example of ransomware is WannaCry. Having the capabilities of a worm, it was self-propagating—that is, it could spread from one system to another without human intervention.

Destructive malware (wipers)

Malware can be designed to cause disruption (for example by making systems unavailable). The most recent and undeniably most famous example of such malware was the wiper NotPetya (2017). Once NotPetya reached a system, it would overwrite the system’s master board record, making the computer system unusable. Such loss of availability of computer systems will often lead to effects in the real world.

Remote Access Trojans

Remote Access Trojans facilitate the remote control of an infected system. The name of this type of malware clearly links it to the historic incident of the ‘trojan horse’. It denotes a program that enters a system while hiding its true intent. Of particular note in this class is the ‘BlackEnergy’ malware, a ‘Remote Access Trojan’ malware used in a prominent attack on the Ukrainian power grid in 2015. That malware enabled the attacker to control the systems of Ukrainian power grid operators and take control over them, ultimately leading to power outages.

Malware targeting industrial control systems

There is also a class of malware specifically designed to target Industrial Control Systems (ICS), sometimes with the capability to cause malfunctioning in the machines that the computer system controls. For instance, the infamous ‘Stuxnet’ was designed to spread in industrial networks to cause malfunctioning in the specifically targeted equipment that the affected computers controlled. Stuxnet caused physical damage to Iranian uranium-enrichment centrifuges. A more recent example of ICS malware is the Triton/Trisis malware, which was designed and implemented with capability to re-program certain industrial safety systems. The unsuccessful attack on a Saudi Arabian petrochemical plant in 2017 (the threat group has been active at least since 2014) used this type of specialized malware.

The interference of ICS malware with safety systems can lead to the disruption of the industrial processes the system controls. If successful, such disruption may lead to the physical destruction or disabling safety systems, which would pose a real risk of human harm.

Select factors enabling malware to spread

The ability of malware to infect computing systems and to spread to others—either indiscriminately or with the purpose of only, or primarily, attacking a specific computer or computer network—depends on a number of factors.

Automation vs the need for action by the target

If the aim of a malware is to spread as widely as possible, it might be programmed to spread automatically by exploiting system or software vulnerabilities. This presupposes, however, that such vulnerabilities exist, are exploitable, and that an exploit is available to the malware designer. Worms like WannaCry or NotPetya had these characteristics. They were designed to spread quickly without human intervention. Such malware affects computer systems on a broad scale, typically not distinguishing between the owners or purpose of the systems in question, affecting computers of private individuals, public officials, hospitals and industry. However, such ‘self-propagating’ malware is rare.

Now, most malware requires user interaction. Among the most popular initial malware delivery today are phishing mails. In this case, infection requires the sending of messages that invite the confidence or trust of a victim in order to perform a specific action. In the case of phishing, the required actions typically include the opening of a malicious attachment, visiting a website hosting malware, installing an application, etc. Given that this type of malware requires human action, spreading as fast as fully self-propagated malware is impossible.

Malware needs to be programmed to affect specific software

As malware can only affect the exact software it is programmed to target, the ability of malware to spread depends on how widely used the targeted software is. To infect a system and perform the desired function, malware needs to exploit a vulnerability existing in the targeted system—software or hardware—leading to the performance of the desired functions. Vulnerabilities are typically platform-specific. Concretely—and to take a rather simple example—malware that is programmed to exploit a vulnerability in a Windows system can only affect Windows systems—not Mac or Linux systems.

Malware is able to spread and cause widespread damage if it targets commonly used software. For example, both WannaCry and NotPetya only affected computers working on a Windows operating system. In the case of WannaCry, the malware exploited a vulnerability in an old but still widely used version of Windows, that in many cases was not updated on time. Given that it was also programmed to propagate automatically, it was able to spread widely—reportedly affecting computers in more than 150 countries.

Regarding the NotPetya wiper, it is now widely believed that it has been delivered via the MEDoc software, which is needed for companies paying taxes in Ukraine. This meant that all companies paying taxes in Ukraine and their business partners were potentially affected because they had this software in their systems. Once delivered, it spread among Windows systems with a vulnerability for which an exploit was known, but the wiper also used other methods to spread.

As much as the exploitation of a vulnerability in a commonly used software enables certain types of malware to spread widely and essentially indiscriminately, the fact that malware will only be able to exploit the software it is programmed to target has a natural limiting effect. This limitation is particularly tight in case of industrial systems. For instance, malware designed to attack a specific ICS will only be able to deliver destructive payloads and potentially cause effects in these specific systems. This means that if a number of power plants use the same software system, malware could efficiently spread among these plants. If, however, they operate on different infrastructures (industrial sites, such as nuclear plants, often differ significantly), the same piece of malware cannot easily spread from plant to plant. It would need to be adapted to each operating system, which is not always easily done at large scale. As a result, even most sophisticated malware designed to cause damage to a specific ICS system, including with potentially destructive physical effects in mind, might often be naturally limited.

***

This post provides only a glimpse of the complexity of today’s cyber operations. Here are 3 take-aways for the reader:

  1. Malware can be designed for a number of different purposes. In this post, we have only looked at malware designed for making data unavailable, destroying it or manipulating computer systems.
  2. While many cyber operations aim at exfiltrating data (espionage) or spreading information (propaganda), malware can be programmed to cause effects in the physical word. However, this is very rare.
  3. Malware can be designed to spread widely and indiscriminately. However, the more malware is targeted at causing effects in specific kinds of systems—such as industrial control systems—the less likely it is to spread widely.

 

Other posts in the series