13 Oct Wiper – The AK47 of cyberwar
Unless you have been living under a rock recently, you know that Sony was hacked, d0xed, and whacked. (The meaning of “Hacked” is obvious. D0xed means that a whole lot of documents were stolen. Whacked is Australian for, well, whacked. As in over the head with a 2×4.)
Most people are quite reasonably focused on the implications of the leakage of movies, and salacious emails, but this has drawn attention away from the fact that the Las Vegas Sands suffered a similar attack at roughly the same time, with roughly similar results. A whole lot of information was stolen, and a whole lot of computers were wiped out.
No one knows exactly who is doing it, but the m.o. is remarkably similar to the Shamoon attack, from 2012, and the 2013 attacks on South Korean banks, so it doesn’t require a huge leap of imagination to suggest that it is all the work of the same group. If you’re interested, I made a video of the 2012 Shamoon attack, which you can view here, which will give you a pretty fair idea what the attack looks like, when they actually start the machine wipe.
In fact, the m.o. can be summarized as three steps…
(1) Penetrate the network,
(2) Surveil the heck out of it, until you understand it completely, and have stolen all the data you can, and
(3) Wipe out all the devices that you can, at the same time.
Compared with things like Stuxnet and Flame, the Wiper component is relatively unsophisticated, and Shamoon was even a bit buggy, but that tends not to matter if it hits you, because it hurts. If you get 30,000 PCs and servers wiped out overnight, that’s going to leave a mark on anyone. That’s why I call it the AK47 of cyberwar. Compared to a Stealth fighter, an AK47 is as crude as a club, but if it shoots you, well, dead is dead.
The first question is, “Can traditional antivirus protect us against this?”
The answer is, “Yes, and no.” Friends of mine, who still work “at the coal face” in antivirus, tell me that they see about one million new and unique bits of malware every day. Most of this is crimeware, and most of it is Zoo, in that it is just produced programmatically, to overload the signature scanners, and by and large, the av companies catch most of it between them, but the type of attacker that we are talking about today, only needs to get one bit of malware past everyone, and they are “in”.
This is classic, asymmetric warfare.
Defenders have to try to block everything. Attackers only have to find one way in.
We have to find new ways to defend. We can’t give up on antivirus, because someone has to handle the million new malware each day, and you need to make sure that your product of choice is keeping up. Try turning your av off, and see how that works for you.
This all matters because it’s going to happen again.
That’s a given.
What we don’t know is
it’s going to happen next.
If it’s a business, well, that’s bad for that business, but if it’s critical infrastructure, like power grids, that’ll hurt everyone.
We may be confident that this group is trying to get into that critical infrastructure right now. Hopefully, they are still just trying.
This is a difficult, but critical, problem.
This blog will keep looking for solutions.