Killware has been frequenting the news in recent weeks. Some of the actual headlines, from real news sources, can come across as pretty frightening:
DHS Secretary: “Killware,” Malware Designed To Do Real-World Harm, Poised To Be World’s Next Breakout Cybersecurity Threat — CPO Magazine
Killware: The New Cyber Threat and What It May Mean for Data Breach and Cybersecurity Litigations — The National Law Review
The Emergence of Killware, the Lethal Malware — Gartner
The next big cyberthreat isn't ransomware. It's killware. And it's just as bad as it sounds. — USA Today
Cybercriminals are continually looking for new, creative ways to exploit vulnerabilities in your cybersecurity approach. That’s no secret. But what exactly is killware, and is it really as bad as some of the trending headlines suggest?
Most importantly: what can you do to protect yourself and your network from this latest cybersecurity threat?
The Definition of Killware
Security Boulevard describes killware as, “ … a wide variety of cyberattack types that target the real-life health of victims … killware is defined by its end result, and can include any number of methods, including malware and ransomware.” The end goal is causing real physical harm, potentially through cyberattacks against hospitals, power grids, airports, and other systems that directly affect human livelihood.
In the USA Today story cited above, Alejandro Mayorkas, Secretary of the U.S. Department of Homeland Security (DHS), referred to killware as the “next breakout cybersecurity threat,” and the agency he leads considers killware a more critical threat than existing ransomware methods. Even Gartner weighed in with a prediction that in as little as four years, bad actors will regularly deploy killware attacks.
Robert Weiss, OpenVPN Head of Information Security, points out that, “In our interconnected and automated world, killware impacts everyone. People have been and will be impacted by systems that they are not responsible for securing. We share risk in common.” The list of industries and organizations the DHS identifies as potential targets for bad actors are those with the most potential to put human lives at risk of physical harm, or death, in the event of disruption or interference:
- Emergency Response Systems (Personal and Public)
- Hospitals and Healthcare Providers
- Oil and Gas Equipment and Supplies
- Fire and Police Departments
- Power Grids
- Supply Chains for Food and Necessity Goods
- Transportation Infrastructure
- Water Supplies
Killware Attacks in the News
One of the facilities included in the DHS list, water supplies, was targeted by cybercriminals in February.
A hacker managed to access an Oldsmar, Florida water treatment plant, adjusting the sodium hydroxide levels from 100 parts per million to 11,100 parts per million. The attack, which happened roughly 15 miles from where the Super Bowl would take place two days later, had the potential to increase the amount of sodium hydroxide in the water supply to dangerously high levels. Thankfully, in this case there were no injuries, illness, or lives lost — thanks to an employee who identified and stopped the attack.
How did the hacker get into the facility’s network? Using something many IT professionals battle daily: remote access credentials shared between employees. The rapid growth of remote and hybrid workforces accelerated the need for remote access, but this incident highlights how off-site workforces are an attack vector for cybercrime. This is why it’s critical to continually educate, and re-educate, employees about the need to adhere to network security guidelines.
In September 2020, a ransomware attack on a German hospital actually redirected an ambulance transporting a woman suffering an aortic aneurysm. The extra distance and time required to reach the alternate hospital was too much, and tragically, the woman died.
Unfortunately, legal complexities regarding causation prevented German authorities from pressing charges beyond blackmail and hacking. Whether or not the criminals will be found remains to be seen, and even if they are found, the likelihood of prosecution is low.
Another, earlier hospital ransomware attack occurred at Mobile, Alabama’s Springhill Medical Center in September 2019. In this heartbreaking case, a newborn suffered injuries due to the attack’s impact on monitoring equipment used by the hospital staff.
The child died nine months later, and her mother is pursuing legal action against Springhill Medical Center. As with the German case, legal experts point out that existing laws may not be equipped to handle the intricacies of sophisticated cybercrime that has the potential to kill people.
In what might be the most high profile attack to date, Colonial Pipeline was hit with a ransomware attack in May 2021. Three days later the FBI confirmed that a ransomware group known as DarkSide was responsible for the attack. In response the company proactively shutdown 5,550 miles of pipe, triggering panic on the east coast and causing gasoline shortages in multiple states.
Like the Oldsmar water treatment facility attack, an employee password was at the root of the Colonial Pipeline incident. The combination of a password that was no longer in use, but not deactivated, and the lack of multi-factor authentication (MFA) was enough for hackers to successfully access Colonial’s network.
Mitigating Killware Attacks in the Age of Remote Access
Ransomware and malware attacks aren’t new, but the stakes are getting higher. And the increased number of people working remotely, using home or public WiFi to access company networks and apps, dramatically increases the opportunities for bad actors to take advantage of gapped security solutions.
According to Weiss, “Ransomware is the fastest growing category of malware because of its profitable business model. Ransomware operators have been demanding larger ransoms as they create more damaging outcomes. Killware outcomes and damages will be particularly significant. Ransoms continue to fund additional attacks creating a malicious spiral.” With that in mind, how can network security professionals guard every device and prevent these potentially deadly cyberattacks?
In What the Hafnium Attacks Tell Us About Today’s Ransomware Threat, OpenVPN recommends:
- Patch vulnerabilities (like the Microsoft Exchange Server ones) promptly.
- Use multi-factor authentication (MFA) to secure remote desktop (RDP) servers and other corporate accounts.
- Train employees to better spot phishing attacks.
- Segment networks to limit the spread of any infection.
- Install network-based detection tools (NDR, next-gen IDS, etc.).
- Design and regularly test an incident response plan.
- Back up sensitive data according to the “3-2-1” rule.
What role do VPNs play in thwarting ransomware and malware attacks with the potential to turn into killware incidents? Next-generation VPN allows organizations to connect users anywhere, while securing businesses against a growing range of cyber threats, including both malware and ransomware. Weiss points out that, “Protection against killware will require increased vigilance of information security, particularly in systems that provide critical infrastructure and control systems that interact with humans. VPNs are one of the solutions that can help.”
But how exactly do they do that?
From DNS-based content filtering, Intrusion Detection and Prevention (IDS/IPS), Single Sign-On (SSO), SaaS-based publishing, to Zero Trust Access, a next-generation VPN fulfils everything an organization needs to secure their data and network in a complex, distributed environment. At the same time, a next-generation VPN simplifies operations dramatically, making it easy to configure and useful for both technical and non-technical users, increasing the likelihood that employees will use the security tools provided.
Separating Clickbait from Reality
Yes, killware is a real thing, but the name alone lends itself to sensationalism and classic FUD (Fear, Uncertainty, Doubt) tactics. Does it require extraordinary security measures?
The best cybersecurity approach is layered and continuously monitored for gaps. Network security administrators need to ask themselves how confident they are in their existing security approach, without getting caught up in headlines meant to generate clicks. Establishing cybersecurity guidelines, and regularly educating (or re-educating) employees of the importance of adhering to the guidelines, plays a significant role, too. In the end, a layered approach that employs multiple controls to guard a network’s most vulnerable points will keep potential killware attacks in the same category as countless other forms of ransomware and malware.
Don’t get caught up in the hype; just be diligent. As our own expert Weiss tells us, “A lot of information security is like hygiene — small tasks and habits we perform daily to make sure our networks and devices remain secure. Anyone can start with the basics.”