Here we see old-school worm outbreaks, the type that plagued networks in the late 1990s and early 2000s, combined with modern payloads designed to steal money and disrupt government systems.
We don't know exactly what drives the re-emergence of worms outbreaks, but I believe we're witnessing the testing of early prototypes for cyber warfare development programs. It's similar to detecting underground nuke tests, like those we see in North Korea.
If that is indeed what's going on, every industrial sector and global economy must take notice and start adapting.
Lessons of Code Red and Nimda
Code Red took approximately 10 minutes to infect every vulnerable Microsoft IIS server globally. My charge from the Director of DARPA was to develop a strategy and technology for tackling computer worms that move at the speed of networks.
The program that followed, Dynamic Quarantine of Worms, did this successfully and was briefed to Congress. The program was well funded because of its national significance in potentially defending critical infrastructures against destructive worms. This should ring true today, as it did in 2002.
However, like many of the Defense sector programs at the time, it was classified instead of being transitioned to the commercial sector, and is now a footnote in history.
At the time, most of us in the security community accepted that this would be the new normal, but it never came to pass. Many believed the actors who wrote these worms were experimenting, but never really intended to let these loose on the network because destroying the commons would be harmful to all.
Since then, the economics of computer infections made it far more profitable to steal data such as intellectual property (to gather intelligence or competitive designs for nation state actors), or to steal credentials for fraud used by cyber crime syndicates for financial crimes.
In a twist of irony, there is a certain degree of comfort in financially motivated crime or economically and intelligence motivated intrusions. You understand the enemy and what they are after. Like a parasite, it does no good for the adversary to kill the host in these cases. On the flip side, business models have emerged to deal with a certain level of cyber crime and theft of intellectual property. Banks, for example, accept a certain level of fraud as a cost of doing business. One can even insure against cyber theft at reasonable price points.
On the other hand, destructive malware and, in particular, worm-based destructive malware, is the equivalent of a nuclear device on a network. While we have long known of their existence and no doubt their presence in nation state arsenals, we previously speculated there is little benefit to deploying such a worm because the consequences would be so severe.
The Mutually Assured Destruction principle applies to destructive worms. The Stuxnet worm deployed against Iran purportedly by US and Israeli intelligence was never intended to get outside the nuclear facilities it targeted. But its worm-like capabilities escaped and ended up attacking susceptible global networks. Lessons were learned from that failure in design.
Going back to destructive malware attacks like WannaCry, NotPetya, the Mirai botnet attack, the Sony Entertainment attack, and ransomware, it's clear that destructive malware is beginning to take its place in the threat landscape.
Ransomware as a class of destructive malware is probably the fastest growing class of malware, and corporate boards are taking notice as company networks are going down due to mass infections.
The question about destructive malware is “why now?” after 15 years of very few destructive large-scale malware incidents? In the case of ransomware, financial gain is the clear driver. Instant monetization of the victim's machine will continue to drive the growth of ransomware infections, particularly with good conversion rates on infections. For WannaCry, NotPetya, and Mirai, I'm unsure of the actual rationale, though I welcome your comments below.
I suspect WannaCry and NotPetya represent more experimentation by a sophisticated adversary. Both of these infections possess important hallmarks that include exploit previously classified EternalBlue vulnerabilities traceable to the NSA by way of Shadow Brokers disclosures, and the ability to self-propagate.
Both also used ransomware as a “cover” -- most security professionals do not believe ransom was the intended goal. Meanwhile, we still have no idea who was behind these attacks.
Weapons of emerging nations
My hunch is that the evolution of destructive malware is the early stages of the development of cyber warfare arsenals by emerging non G-20 nations, e.g., North Korea and Iran.
North Korea is notable only for its possession of nuclear weapons and its bellicose threats about using them. We also believe that the DPRK launched destructive malware against Sony Pictures Entertainment networks. We believe Iran has launched destructive malware against Saudi Arabia's Aramco networks, and that both nations have emerging cyber warfare capabilities.
Cyber warfare can rapidly bring an emerging nation onto an equal playing field with industrialized nations like the US and Western Europe at relatively miniscule cost in comparison to developing a nuclear weapons program. If you are a despotic regime feeling threatened by the league of G-20 nations, it's natural to develop nuclear and cyberwarfare capabilities they can use as a bargaining chip, if not an instrument of war if it ever came to that.
Whoever is behind these attacks, it's clear that we know what's coming – more destructive malware.
No time to waste
The age of “ignorance is bliss” in security is over. Corporate chieftains can no longer relegate security as an IT issue, like email. Destructive malware worms pose existential threats to companies and critical infrastructures. As such, corporate strategy needs to be developed for how to plan for, detect, mitigate, and recover from destructive malware attacks.
When your network gets hit with malware, do you have a plan in place and have you gamed it out?
Do you know whether your controls will mitigate destructive malware attacks? Do you have a back-up and recovery plan or a communications strategy for employees, customers, and the public?
If not, there is no time to waste.