Destructive Malware: Is it Time for CISOs to Panic?

by Ross Dyer

Many UK organisations are only now coming to terms with the fact that APTs and targeted attacks are a real and present danger to the corporate crown jewels: sensitive IP and customer data. It’s taken a while for the threats to filter down from government agencies and high profile multi-nationals. But the truth is that, with the means to launch such attacks now widely available on underground forums, any company could realistically be targeted today.

The bad news, as we’ve seen over the past fortnight, is that the game is changing again. Enter the destructive malware attack.

Carnage in Culver City
Details are still emerging about exactly what happened to Sony Pictures Entertainment in an attack at the end of November, but it appears as if the hackers first infiltrated the corporate network and made off with some extremely sensitive data. But here’s the twist. They are also said to have launched Destover – a malware family designed to overwrite data on the hard drives, including the master boot record, which effectively means PCs cannot even boot up. It’s no surprise that the employees soon let it be known on social media forums that the attack had forced IT chiefs to shut down the corporate network completely.

In the weeks following, much of that data has apparently found its way online – information including the telephone numbers of Hollywood A-listers, the personal details of Sony staff and even the script of the new James Bond film. This kind of attack clearly raises the stakes from your average information-stealing targeted attack – adding corporate downtime, unretrievable data and damaged machines to the usual hit to brand and reputation, clean-up and investigation costs and industry fines etc. In short, it raises the stakes yet again for CISOs.

Another, seemingly unrelated attack was reported last week. Iranian hackers, most likely with at least the blessing of the state, are alleged to have infiltrated the network of the Sands casino and resort company in Las Vegas. They wiped hard drives, felled a multi-million dollar storage system and knocked out key systems monitoring the performance and payouts of slot machines and table games. It is claimed that the attack could be in retaliation for anti-Iran remarks made by Sands CEO Sheldon Adelson.

Am I at risk?
After the Sony attack, the FBI is said to have released a five page “flash” report to businesses warning about the destructive malware doing the rounds. It’s still unclear who is responsible, but some fingers are pointing at North Korea, who many think launched the attack in reprisal for new Sony movie The Interview which lampoons the hermit nation. Destover is also related to the malware used in the DarkSeoul attacks on South Korean banks and TV stations last year traced to Pyongyang.

The main destructive malware attacks we’ve seen to date appear to have nation state backing. The other major incident was that which affected up to 30,000 computers at oil giant Saudi Aramco in 2012 – also believed to have been launched from Iran. On the surface of it, then, this is still a relatively rare occurrence. The worry here, however, is that eventually the means to launch such attacks will filter down to the wider cybercriminal community, just as those to launch APTs and targeted attacks did. It’s no surprise that Trend Micro Cyber Security VP Tom Kellermann claimed the Sony attack “represents a watershed event”.

Time to plan
The best cyber security strategies are based around advanced planning for the worst case scenario so that organisations can minimise their risk exposure and react quickly if they are attacked. With that in mind consider the following as a very first step towards improving your cyber resilience:

  • Reappraise cyber security strategies to take account of the impact of destructive attacks
  • Practice incident response drills to see how well staff respond to a ‘destructive attack’
  • Liaise with other parts of the organisation – PR, execs, legal, risk etc – so everyone understands their role in the event of an attack
  • Enhance traditional defences with advanced protection to detect and block zero day threats
  • Improve and re-communicate security training and awareness programs. These will help to keep staff alert about incoming spear phishing attempts
  • Ensure virtualised environments are protected with ‘virtual aware’ security for maximum effectiveness



Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.