Not long ago, the concept of killware was the stuff of futuristic, doomsday movie fare. The idea that hackers could breach systems related to basic public infrastructure and health services to put people’s very lives at risk seemed scary, but far-fetched. Unfortunately, that dystopian future has, at least to some degree, arrived.
What is Killware?
The term killware is an overarching term that covers a wide variety of cyberattack types that target the real-life health of victims. While other forms of malware are usually defined by their method — think DDoS or spear phishing attacks — killware is defined by its end result, and can include any number of methods, including malware and ransomware.
The U.S. Department of Homeland Security (DHS) has recently designated killware as an emerging cyber threat even more urgent than typical ransomware. DHS Secretary Alejandro Majorkas told USA Today that killware, designed to intentionally cause death, is the “next breakout cybersecurity threat.” Gartner predicts that within the next four years, threat actors will be routinely weaponizing operational environments to intentionally harm and kill people.
DHS identifies several key potential killware targets that could put thousands of lives at risk, including:
- Water supplies
- Power grids
- Oil and gas supplies
- Food and basic necessity supply chains
- Police and fire departments, including dispatch operations
- Transportation infrastructure
- Emergency response systems
Essentially, any networked community resource should be considered at risk for this type of attack. According to a blog written by Gartner senior research director Wam Voster, emerging “smart” technology is also attractive to bad actors. IoT-connected smart thermostats and self-driving cars are just two examples of technologies that could be targeted by killware attackers.
Has Killware Been Successful?
In late 2020, a German woman suffering from an aortic aneurysm died when she was turned away from a hospital that was being held hostage by a ransomware attack. By the time she arrived at an alternate site, she had experienced fatal complications and could not be saved by medical personnel. A ransomware attack was also blamed for causing the death of a baby in Alabama in 2019.
The attack on an Oldsmar, Florida water treatment facility in early 2021 is another example of how killware is being wielded by bad actors. Here, the attackers breached the plant’s systems and boosted the level of sodium hydroxide in the water to levels far exceeding the safe limit — in fact, the level of sodium hydroxide was considered lethal, at more than a hundred times the safe limit. Luckily, an operator was able to quickly respond, but for a frighteningly long few minutes, the community’s water supply was at risk of delivering lethally contaminated water directly into the homes and businesses of 15,000 people.
How Can SOCs Protect Against Killware?
It’s never been more important for security teams to have a tight handle on network behavior, including every endpoint. Full network visibility is the only hope we have for detecting potential killware attacks before they wreak havoc or create harm to individuals and communities. This means the legacy systems that may have been sufficient even a few years ago are inadequately equipped for staving off modern threat actors with the intent to harm.
MixMode uses third-wave AI to create a constantly evolving baseline of expected network behavior and examines network activity in real-time to detect unexpected deviations. Subtle, but concerning, shifts in network behavior that might be overlooked by traditional log-based SIEM or NTA systems are quickly surfaced by MixMode for further investigation. In the meantime, MixMode is smart enough to filter out hundreds of false positives, freeing up analysts’ time, so they can prioritize true potential threats, including attempted killware and zero-day attacks.