Ransomware is the current king of the cybersecurity threat landscape, in part because of a demonstrated willingness by criminal groups to escalate to real-world damage to infrastructure. U.S. Department of Homeland Security Secretary Alejandro Mayorkas thinks that things are poised to go a step further in that direction in the very near future.
Referencing recent attacks on water treatment plants and hospitals, Mayorkas told USA Today that “killware” made to intentionally cause death is the next breakout cybersecurity threat. Research from Gartner backs up his speculation; the firm projects that within the next four years, threat actors will be weaponizing operational environments to harm and kill people.
“Killware” cybersecurity threat emerges with attacks on medical facilities, utilities
While ransomware has disrupted supply chains for the first time this year, causing stoppages in the delivery of everything from gas to meat, these attacks do not represent a direct threat to the health and safety of human beings. They are certainly an escalation from what has been seen in previous years, but Mayorkas references a non-ransomware cybersecurity threat that received far less media coverage as his primary concern.
Mayorkas sees the prototype for killware in the February attack on a water treatment facility in Oldsmar, Florida. An unknown party used outdated remote TeamViewer login credentials (that were supposed to have been disabled) to gain direct access to the facility’s controls, and attempted to raise the level of lye in the public water supply to unsafe levels. Commonly used at lower levels as a disinfectant, a strong enough concentration of lye can cause skin burns and internal injuries.
That attack was thwarted by an on-premises operator who noticed activity on the plant’s console as the attacker attempted to change settings; Oldsmar officials also said that the public was in no danger as increasing chemicals beyond an unsafe level would trigger automatic alarms and mechanical failsafes. This was not the only attack on water utilities of this nature, however; there was a similar incident in Kansas in which a former worker used their old login credentials to attempt to shut off the chemical treatment process and distribute tainted water.
These malicious attacks accompany three ransomware attacks directed at water and wastewater treatment facilities. The cybersecurity threat in these cases was fairly standard, encrypting files with no attempt to control industrial equipment or cause physical harm. However, Mayorkas sees the killware concept evolving to combine direct threats of harm with ransomware attacks or other breaches of this nature.
There is some reason to give credence to this theory, given the pattern of escalation and crossing of “red lines” that criminals were not bold enough to in previous years. Ransomware was fairly dormant as a cybersecurity threat for several years before roaring back to life in 2019, evolving from indiscriminate attacks widely distributed by bot networks to targeted attacks on large well-funded organizations that often incorporate research and spear phishing. A big step in 2020 was the addition of threats to “doxx” confidential company information if ransoms were not paid; some of the bigger ransomware gangs would dump stolen personal information and corporate secrets on dark web sites in response to a refusal or a failure to pay within the time limit.
The next big evolution, as seen in media coverage this year, was a willingness to directly attack critical infrastructure. This was something that all types of threat actors had previously shied away from for fear of drawing severe reprisal from national governments. The willingness of major ransomware groups like REvil and Darkside to shut down fuel and food supplies represented an escalation in terms.
Mayorkas believes that killware will be the next line to be crossed in the cybersecurity threat landscape, as bold threat actors demonstrate a willingness to cause death and destruction via compromised systems to coerce payments or simply to make a political statement. Jack Chapman, VP of Threat Intelligence at Egress, agrees with this projection: “This is an alarming development, but not entirely unexpected. Malware, including ransomware, is a fast-growing criminal market, and over time it’s inevitable that we’ll begin to see increasing numbers of so-called ‘killware’ attacks, aimed at crippling infrastructure … The US government is taking the threat of cyberattacks increasingly seriously, proposing new legislation that would require critical infrastructure owners to report attacks to CISA to enable the government to gain a better understanding of the threat. This is an important step, but it’s also up to organizations themselves to ensure they have the right technology and security protocols in place to defend themselves. Sadly, I expect that we’ll begin to see a growing number of headlines about killware as these attacks become more widespread.”
How serious is the killware threat?
Though it may not have been the intent of the attackers, that line has already been crossed in Germany. The first death officially attributed to ransomware occurred there last year, when a woman being transported by ambulance had to be turned away from a non-function facility and died en route to the closest alternative. Ransomware has also been linked to the death of a baby in Alabama in 2019, when nurses failed to notice a change in heart rate that would have normally been displayed on a large central monitor.
Gartner Inc., the international market research and risk management consulting giant, published a paper in July that projected deaths due to a cybersecurity threat weaponizing industrial facilities by 2025. The firm sees the cost of attacks that cause fatalities reaching $50 billion per year, and that public and government reaction will lead to CEOs being held personally accountable for cyber attacks in which physical harm or death occur.