RSA 2018 "You don't launch a cyber weapon, you share it."
This was a reminder issued to RSA Conference attendees, in San Francisco on Tuesday, by two security researchers, who warned that advanced malware strains, particularly those developed by government hackers, can be captured and repurposed by cash-strapped miscreants to build a controllable arsenal of software nasties.
Kenneth Geers, senior research scientist at Comodo Cybersecurity, and Kārlis Podiņš, a threat analyst with Latvia's CERT, also said governments should be more aware of how their own advanced malware is being lifted by other countries and potentially repackaged for attacks on them and their allies. Sorta like what happened with the NSA's stolen and leaked EternalBlue exploit and the WannaCry ransomware that wielded it.
"It's faster and easier than one might imagine to build an arsenal of cyber tools," explained Geers. "It is going to lead to complexities on the battlefield as tools get out and get repurposed."
Podiņš explained how a savvy government agency under attack by malware could, in a matter of hours, modify portions of the malicious code to download different payloads and use new command-and-control servers, then redeploy the cyber-weapon for their own use.
This is especially tempting if the malware exploits a zero-day vulnerability – a bug for which no patch or mitigation exists – that the victim was unaware of; now the target agency or organization can work out the exploited flaw, and use it to infiltrate others.
This, the pair contend, should give nations pause when looking to deploy an advanced malware package against a hostile nation or terrorist group, least it be repackaged with a more destructive payload – such as a disk wiper as opposed to stealthy spyware – and used to create havoc.
"It is a matter of awareness up front on both sides," explained Geers.
"If you have an offensive team you have to be aware that someone might steal your tools, so you have to be more judicious in your operation." ®