Killware - The Growing Digital Threat
Transcript
On the morning of February 5 2021, workers at a water treatment plant in Oldsmar, Florida noticed something unusual and alarming. The system settings had been changed with the intent of increasing the concentration of sodium hydroxide from its usual 100 parts per million to over 11,000. Sodium hydroxide when used in very small levels acts to purify the water of biological contaminants and make it safe to drink. At the new level set by the software, it would have reached a toxic concentration which could sicken or kill those who consumed it.
A worker reported that he had seen his cursor moving without input earlier in the day but had dismissed it as nothing unusual. Software features allowed supervisors to operate the facilities remotely, so it would make sense to assume that was the cause. Experts say that the increased chemical levels would not actually go into effect for at least 24 to 36 hours, and the system would have caught the discrepancy and stopped the change before the contaminated water would be sent out to the public. Regardless, the attempt marked what some call the first cyberattack on public infrastructure in the US which was actually meant to cause physical harm to people. Although under investigation by state and federal authorities, suspected identities of any attackers have not been publicly released, nor even an indication of whether the attack was domestic or international.
Although the impact of such an attack was minimal, when considered with other events it presents a concerning trend. The United States has seen several other cyberattacks which have threatened large operations in the last year. One was an attack which hindered management systems at an oil pipeline for nearly a week, while another targeted a large meat supplier which caused repercussions across the food supply chain. The public visibility of these events has led to more awareness of something security experts have been warning about for a while now; that public infrastructure is vulnerable to cyberattacks, which may have more dangerous implications than many realize.
There’s a new word for malware attacks intended to inflict harm and end lives; killware. DHS secretary Alejandro Mayorkas has gone public recently with his belief that killware is the next emergent front in malware attacks and is a growing public security threat. Private research firms agree, including Gartner who has projected that within the next four years, ransomware attacks will be launched with the threat or intent to harm and kill people.
To some, this represents a chain of escalation from previous ransomware attacks. Ransomware on its own involves gaining unauthorized access to computer systems, encrypting files on the computer, and holding it for ransom - with the data unlocked on payment or destroyed upon refusal. Sensitive data may also be stolen, with the threat of release to the public or on online black markets and other pages where such information is traded or sold. Some worry that choosing targets which have the power to kill people will be a tempting move to encourage quick payment of demands.
I have to admit, when I first heard the word “killware” my inclination was to ignore it as I tend to do with most media buzzwords warning about the latest danger. But kitschy names aside, we’ve established already that at least some experts in the field believe it will be a very real issue in the near future. Depending on who you ask, there have already been victims of this lethal malware.
In July of 2019, an Alabama hospital experienced a ransomware attack which affected its computer network. The hospital network was down for more than a week, leading to the loss of important systems including patient records and remote sensor monitoring. During this attack, a baby was born with its umbilical cord wrapped around its neck. She suffered brain damage and would die 9 months later.
A lawsuit filed by the baby’s mother against the hospital alleges that the ransomware attack disrupted systems which enabled fetal heart rate monitoring at the nurses’ station. The attending OB-GYN at the time stated that she would have delivered the baby via C-section if the heart rate monitor had been functioning and indicated a change in heart rate. In a text message to a coworker, she would write “I need u to help me understand why I was not notified,” and in another message “this was preventable.” The suit is currently ongoing, with the hospital denying responsibility.
In Germany, a muddier situation arose. A 78 year old woman was being transported to emergency care with an aortic aneurysm. The ambulance arrived at the hospital and was turned away, as that location had been hit with a cyberattack which had locked down many of their computer systems and the hospital was unable to take any new patients under the circumstances. The woman was taken to another hospital 32 kilometers away, resulting in a 1 hour delay in treatment. Unfortunately she was not able to be successfully treated and died shortly after.
Given the circumstances, authorities in Germany began investigating the crime under the possibility of charging the hacker with negligent homicide. After a two month investigation, it was determined that the cyberattack couldn’t be definitively linked to the causation of death as the law would require. An autopsy and careful reconstruction of the timing led to a determination that the patient likely would have died even if she had received emergency care at the first hospital. But that likelihood is little comfort in the death of a woman whose emergency care was delayed.
The fear of lethal cyber attacks committed by criminal organizations is well-founded, but some are worried about a more insidious use by military or even terrorist organizations. Here’s what President Joe Biden had to say on the topic in July of 2021.
Cyber attacks are an attractive option for their disproportionate effect, and difficult to defend against for many of the same reasons. It’s difficult to classify a cyber attack as an act of war in the same manner as a shooting or bombing, where an immediate forceful response would be justified. Even beyond this, just attributing the attack to an actor can be difficult; it’s known that many countries not only have official cyber warfare groups, but also keep close interaction with groups separate from the government. This level of detachment provides some level of deniability if the response can be attributed to rogue criminals rather than a government action.
Unlike most military actions, a cyber warfare group can look just like any other collection of tech workers. They could operate out of any office space and move without attracting any attention. There’s little to no risk of physical harm to the operators with this type of attack, and exploits could be inserted in a dormant state, ready to activate when needed.
Triggering such attacks could have widespread and devastating effects by targeting every day utilities. For instance, consider the consequences of shutting down electrical power during a heat dome like the one we experienced last year, or a severe winter storm. Important public health facilities such as hospitals and emergency call centers could find themselves locked out, severely hindered or totally unable to use the necessary systems. Then there are more volatile targets to consider.
In August 2017, a Saudi Arabian gas and oil plant experienced shutdowns of some of its industrial equipment. Researchers discovered that the malware had been designed not just to shut the system down, but to override mechanical controls to place it in an unsafe state and potentially cause physical damage. The system shutdown had actually been the result of a safety failsafe engaging, which may have prevented the successful implementation of the software. It was one of the first examples of malware tailored to industrial control systems, which can directly control mechanical equipment and devices, and perhaps the first specifically designed to do so in a way that could harm people around it.
Earlier examples of ICS-tailored malware include the destruction of nuclear centrifuges at Iran’s Natanz nuclear site. The malware has been widely attributed to Israeli intelligence, possibly with US assistance. In the decade since, cyber sparring matches between the two countries have escalated. In Israel, two water pumps were breached and the attackers reportedly tried to raise the chlorine levels to unsafe levels. Then a number of Israeli sites were hacked, including the LGBTQ dating app Atraf. Personal information of thousands of Israeli citizens were released including IDs, e-mail addresses, passwords, and phone numbers. In Iran, an attack at fuel stations completely shut off access to the country’s electronic card system used by citizens to purchase subsidized gasoline. At the same time, electronic billboards displayed political messages aimed at Iran’s Supreme Leader Khamenei. Together, it’s believed the effect was intended to stoke frustration and political anger among the population.
From these examples, it seems clear that there’s a pattern of escalation and proliferation of cyber attacks that could easily spill over to hurting innocent people. As our systems grow more complex and connected, the number of potential targets only increases. It’s a concerning prospect. So is there any hope for aversion?
At least between the United States and Russia, there has been some mutual conversation setting the stage for a mutual agreement against first-strike cyberattacks. This would be a move which in some way mirrors nuclear policy and creates a disincentive of what some refer to as a “cyber Pearl Harbor”, or an act of aggression which could escalate into a hot war. While there’s much negotiating to be done, and such an agreement couldn’t guarantee cyber weapons would never be deployed, creating a mutual red line could go a long way towards reducing those chances. In the meantime, battles continue to be fought in the digital space.
If you have any thoughts about this video, feedback in the form of comments or likes and dislikes is encouraged and appreciated. If you’ve enjoyed it, you might also like to check out my playlist on science fiction weapons, or the one dedicated to the activities of military, government and war. Until next time, it’s been a pleasure as always. Thank you.
