Adversaries’ New Strategy: Cyber Attacks Designed for Destruction, Not Just Disruption?
As defenders, one of our key objectives is to help organizations and individual users understand the threat landscape so they can reduce their exposure to cyber threats. Our threat researchers and technology partners watch that ever-changing landscape very closely, as they have for many years now. That’s one reason we are confident when we say that we believe some actors in the shadow economy are making plans to launch cyber attacks that could potentially have a devastating impact that extends far beyond damage to the core target.
This statement is not meant to be sensational. It is only a warning about what we, and others in the security community, sense might be coming. We have no clear insight — yet — into when such an attack might happen or what the targets would be. But as the Cisco 2017 Midyear Cybersecurity Report explains, we find the rapid evolution of threats and the magnitude of the attacks troubling. Based on what we have been observing, we suspect that some adversaries are laying the groundwork for a new type of attack, which we call “destruction of service” or DeOS.
The purpose of such an attack would be to prevent defenders from restoring systems and data. Right now, many security-minded organizations take some comfort in knowing that when they are hit, inevitably, with a DDoS attack, ransomware campaign or other major cyber event, they’ll be able to recover because they have backed up their critical data and systems. DeOS is meant to eliminate that safety net, making it impossible for the business to operate–permanently.
Adversaries know that no business has a contingency plan that outlines how to rebuild all their information technology and operational technology from the ground up. And if a major enterprise would be the target of a DeOS attack, and would suddenly cease to operate, it’s easy to imagine the repercussions not only for that business, its employees, customers, partners, and other stakeholders but also potentially the global economy.
The rise of the IoT botnets
So, what is happening in the threat landscape now that has defenders so concerned about what may come? One thing is Internet of Things (IoT) botnet activity. IoT botnets sound futuristic, but they are definitely real—and not exactly new. The Cisco 2017 Midyear Cybersecurity Report notes that “2016 brought a long-feared DDoS threat to fruition: Cyber attacks launched from multiple connected devices turned into botnets. These attacks propelled us into the 1-TBps DDoS era.”
That is a powerful attack, and it begs the question: What’s next? In the near term at least, we can expect to see more and bigger IoT botnets. According to our partner Radware, whose research on IoT botnets is featured in the midyear report, these botnets are quick and easy to set up and can grow exponentially—and very quickly. Also, IoT botnet malware has a low detection rate.
Radware has been closely monitoring the activity of three of the largest known IoT botnets: Mirai, BrickerBot, and Hajime. Details about their research are featured in the midyear report, as well, but here’s a quick overview of what we know about these botnets:
- Mirai, which was involved in one of the highly disruptive 2016 attacks, has been infecting hundreds of thousands of IoT devices and turning them into a “zombie army” that is capable of launching powerful volumetric DDoS attacks.
- BrickerBot is known for permanent denial of service (PDoS) attacks, which can damage systems so severely that the hardware must be reinstalled or replaced. (Unfortunately, this type of destructive attack is becoming increasingly popular, according to Radware.)
- Hajime, whose author claims to be a white hat hacker, is what Radware describes as “a sophisticated, flexible, thoughtfully designed, and future-proof IoT botnet.” It’s also worrisome, as it hasn’t taken any action yet with the hundreds of thousands of devices it has so far infected. It does some interesting things, too, like cleaning malware (including from other botnets) from the device it wants to infect.
Again, these are just three of the largest IoT botnets out there. Their authors are early movers in the IoT space, which is rampant with vulnerable devices and systems that weren’t built with security in mind. More malicious actors will look to stake their claim in the IoT. And as IoT botnets multiply and grow, so too will IoT-driven DDoS attacks—moving us closer toward the “DeOS era” of cyber attacks.
Read more about DDoS, DeOS and other cybersecurity trends in the Midyear Cybersecurity Report.