SAN FRANCISCO — Cyberattacks by nation-states will soon kill people, either deliberately or unintentionally, a senior security researcher told attendees at the RSA Conference here this week.
Sandra Joyce, senior vice president of Global Intelligence at the California-based firm FireEye, said that the May 2017 WannaCry attacks by North Korea and the NotPetya attacks by the Russian military in June 2017 shut down hospitals, disrupted shipping and cost hundreds of millions of dollars in losses — much of it in the form of collateral damage.
It is inevitable, she said during her RSA presentation yesterday (March 5), that future nation-state attacks on such scale will cause loss of life.
"I rarely get to stand up in front of groups and tell them that the news is getting better," Joyce told the crowd. "But if you have purely destructive malware backed by a nation-state, then where does that leave us?"
NotPetya, which targeted tax-collection software that every business in Ukraine was obliged to run, masqueraded as ransomware, Joyce explained. But it was impossible to decrypt the affected data even if a ransom was paid. The goal of NotPetya was purely destructive, and the destruction streamed outward from Ukraine to infect companies and other institutions in 65 other countries.
Part of the collateral damage was at U.S. hospitals, Joyce said, where some patients could not be immediately treated as a result.
"A friend of mine who was suffering from throat cancer was turned away and told to come back next week," Joyce said.
Had anyone died as a result of NotPetya, that would have been an unintended consequence of a specific attack on Ukraine's economy. But nation-state malware already exists that is designed to deliberately kill people, according to Joyce.
Malware that can kill
She cited the Triton malware, which was found infecting the safety systems at Saudi petrochemical plants in 2017. It gave remote attackers the ability to shut off the fail-safe systems in case there was a poisonous-gas leak or a critical failure.
Triton "messed with last layer of defense before human life is at risk," Joyce said.
Fortunately, errors in Triton meant that it was discovered before it could be fully used in the Saudi plants. And while previous destructive, but non-lethal, attacks on Saudi oil refineries had been blamed on Iran, FireEye fingered a surprising culprit: Russia.
"We have high confidence that this was supported by the Russian Central Scientific Research Institute of Chemistry and Mechanics," Joyce said.
(A report published today in MIT Technology Review said that Triton is still being developed, and that its targets are now worldwide.)
In September 2017, shortly after the Triton malware was discovered, FireEye detected a spear-phishing attack on one of its customers in the U.S. energy sector. The company's analysts quickly determined that North Korean hackers were trying to infect FireEye's client using malicious email messages, and released an alert jointly with the Department of Homeland Security.
"North Korea was trying to get a foothold in the U.S. electrical grid," Joyce said, clarifying this was only a reconnaissance mission on the part of North Korea, but one that could easily have let to more destructive attacks.
The United States' role
It's not that the U.S. is completely blameless, Joyce said. The first well-known cyberweapon targeting critical infrastructure, Stuxnet, was a joint American and Israeli project. It infected an Iranian nuclear-fuel processing facility in 2010 and set back the Iranian nuclear-weapons program for at least 18 months.
Stuxnet started as "a pretty noble idea," Joyce said — it provided an alternative to a military attack on Iran. It didn't kill anyone. But it escaped from its geographic confines into the wild, and its code, targeting the same brand of industrial-control equipment that Triton does, is now available to anyone.
The same loss of confinement happened with EternalBlue, malware developed by the NSA designed to spread other forms of malware rapidly among Windows computers. Either by theft or by accident, EternalBlue ended up in the hands of the Shadow Brokers, an online "hacktivist" group widely assumed to be a front for Russian military intelligence.
After a cursory attempt to sell EternalBlue and other NSA hacking tools, the Shadow Brokers released the code online for free in April 2017. Both the WannaCry and NotPetya malware then used EternalBlue to quickly spread around the world in the following months. (Microsoft, presumably tipped off by the NSA, patched Windows against EternalBlue in March 2017, but many computers had not implemented the update.)
What happens next
The U.S. has taken some small actions against nation-state attacks, indicting North Korean hackers in the WannaCry attacks and knocking a well-known Russian hacker facility offline on the day of the 2018 U.S. midterm elections. But asked by Tom's Guide whether the U.S. should proportionately retaliate against future attacks on the scale of WannaCry or NotPetya, Joyce said the right solution would instead be diplomacy.
"The Obama-Xi agreement [between the U.S. and Chinese presidents in 2015] drastically cut down the amount of China's commercial intellectual-property theft," she said, citing a temporarily successful peaceful solution. (Obama's and Xi's successors have set aside the agreement.)
But Joyce thinks that the long-term solution should be an internationally recognized convention governing the rules of cyberwar and how such conflicts affect noncombatants.
"This isn't the first time humanity has faced unintentional injury," she said, citing the 1949 Fourth Geneva Convention that was designed to protect civilians, forbid the taking of hostages, ban expropriation of property and create other safeguards.
Joyce advocated that the Fourth Geneva Convention be expanded to cover armed conflicts in cyberspace and protect civilians and their property from becoming unintended victims of destructive nation-state attacks.
We need "to establish [military] norms and frameworks for the cyber domain," she said.