Fifty years ago, battles were fought with armies and physical weapons, then the internet came along and introduced a whole new playing field for new forms of conflict and ‘war’
But the most alarming development we have seen take place is the use of destructive cyber techniques to support physical conflicts.
Most recently and prominently has been the use of Whispergate malware against the Ukrainian government, non-profit, and IT organizations, amidst the Russia-Ukraine crisis. The coincidental timing of the attack is telling, falling right alongside the breakdown of diplomatic discussions between NATO and Russia.
Whispergate malware is particularly damaging as it masquerades as ransomware, but instead of encrypting data, it simply wipes the system. The fact that the purpose of the malware is to damage – even cripple – the targets, is a big indicator of the overall intention behind the campaign.
By merging the powers of physical and cyber strategies to engage in conflict, nation-states and prominent criminal groups will reach a new level of threat and opposing parties will soon find themselves fighting a war on two fronts. So, what’s the answer?
The malware breakdown
It’s important to first understand how cyber fits into this equation. Using the Whispergate malware as an example, we can uncover the strategy behind these attacks and understand the initiator’s desired outcomes.
Analysis released by Microsoft’s Threat Intelligence Centre shows that this particular malware operates through two stages. It first overwrites the Master Boot Record (MBR) with a ransom note, and then downloads file corrupter malware hosted on a Discord channel and overwrites files with common extensions.
During stage one, the malware “resides in various working directories, including C:\PerfLogs, C:\ProgramData, C:\, and C:\temp, and is often named stage1.exe.” Appropriately named, stage2.exe follows as the downloader for the malicious file corrupter malware. As this malicious software is easily mistaken for ransomware, the typical protocol is to shut down the machine to prevent file encryption. However, by doing this, the teams automatically play into the adversary’s hands.
With the MBR now overwritten, the affected device can no longer function normally. The ransom note distracts the team and steers them down the wrong path, clearing the way for the malware to rampage through and wipe the systems.
The role of the supply chain
Cybersecurity has been made even more complicated by the countless links between businesses, and the sometimes-unregulated data sharing between them. Organizations are often so distracted by their own security that they fail to consider other avenues. Just one weak link in the chain can bring down the entire network of companies.
The attack against Ukrainian organizations started with a breach in the company Kitsoft who supply digital tech to state authorities and other commercial businesses. The links between the origin site and the malware’s final destinations made it much easier for the adversaries to launch their attack.
Cyber and physical, an alarming duo
The Ukrainian deputy secretary of the national security and defense council has drawn comparisons between the Whispergate malware and previously recorded attacks by groups tied to Russian Intelligence. Officials in Kyiv believe that the group UNC1151 – associated with Belarusian intelligence – may have been involved in the attack. It has been suggested that this activity was a distraction technique to mask the launch of Whispergate.
This isn’t the first-time cyber attacks have aligned with physical conflicts, and unfortunately it won’t be the last. Industry experts have recalled and reported on events back in 2015, when the Ukrainian power grid came under attack by a Russian hacking group, ‘Sandworm’, amidst physical conflict. Whilst cyber may not directly shape the physical battlefield, it has a growing supportive role. Knocking out systems or wiping critical data can leave both organizations and nation-states disorientated and vulnerable on the cyber and physical plains.
The multitude of attack vectors being used by malicious groups means sound vulnerability and threat management has never been more important. Maintaining visibility across the entire infrastructure is crucial for managing an organization or state’s cyber risk exposure and attack surface, as well as monitoring for any unusual activity occurring within the operational technology (OT) networks. With the power of cyber and physical conflicts converging, authorities and organizations alike must prepare for a future where battles are fought on two fronts.
About the Author
Rochelle Fleming is Chief Operating Officer of Sapien. Sapien Cyber is an Australian company providing class-leading cybersecurity and threat intelligence solutions for the protection of critical infrastructure. Empowering organisations to protect their critical infrastructure assets and mitigate risks from evolving cyber threats in an increasingly interconnected world.