Black Hat 2023: Cyberwar Shoot and Forget Me Not


Critical infrastructure, malware

What happens to cyberweapons after a cyberwar?

Black Hat 2023: Cyberwar Shoot and Forget Me Not

There are very few weapons invented that haven’t been repurposed later for the next horrible thing, even if we promise the current one is the “war to end all wars.” But they never are. With one notable exception – turning the global troposphere into a nuclear firecracker that cooks us all – there seems to be no limit to the lengths we can go to destroy others, and sometimes ourselves.

Here has Black hat, there is an undercurrent that dual-use weapons are used for both good and evil, depending on perspective. After all, one nation-state’s hero is another’s villain.

At ESET, we remain committed to protecting technology. Specifically, we believe our job is to protect the technology and leave the determination of intentions to governments. We’re technologists at heart, and here at Black Hat, there’s a lot of heart.

A summer camp for hackers

People call Black Hat the “hacker summer camp,” and between Black hat, DEFCON (And B sides for those in the know), there is a maelstrom of gadgets, widgets and quite a bit of code to tie them all together for both attackers And defenders. Part of the logic is that by understanding how something is constructed, we can better understand how to defend it.

There are many techniques around Black Hat that seek to deal as much physical and structural damage to an enemy as possible. But do they make us all less safe? Hopefully they make us more aware – and that might make us safer.

We appreciate a certain sophistication in the systems used to keep people safe, often through sharing, trust groups, and red/blue teams to “sharpen the sword.” We hope this will lead to a safer future world for everyone, the kind of world we want to live in.

A digital arsenal means unlimited ammo

When we talk about these cyber weapons, we’re talking about malware, which is not much different conceptually (philosophically?) from early computer viruses – they’re just much more complex. And malware is something that ESET and companies like us have been protecting computers against for years.

What is new about the use of malware in war is the ease with which it can be studied, copied and quickly transformed for use in attacks by anyone. An example of this is the Stuxnet worm of 2010: once discovered, the worm exploited several zero-day vulnerabilities, including the ability to automatically run from removable media such as USB flash drives, usually via specially designed Microsoft shortcut (LNK) files. Within weeks, what was initially considered a sophisticated and expensive-to-develop attack was used by lower-level script kiddies to attack their schools’ networks. And that was more than a decade ago, long before most nation-states were actively seeking malicious code to weaponize for use against their adversaries. Today, it is likely that such reverse engineering and reuse would take nation-state adversaries only a few hours, or a few days at most.

Related: Seven years after Stuxnet: the security of industrial systems once again in the spotlight

This also does not include accidental (or other) overflows, which it happened in 2017when NotPetya ransomware, spread through a backdoor in Ukrainian tax preparation software, quickly spread around the world through companies whose Ukrainian branches used the software.

What does all this mean? For the most part, the use of malware in the cyber domain is a double-edged sword, one that can come back to bite the attacker very quickly. If an attacker decided to use malware as a cyber weapon, it seems likely that they would shut down their own country’s Internet first. Such sudden action could be a sign of an imminent “first strike,” or at least an attempted strike.

It has always been difficult to assume intent, which is why wars are often started, but by being aware of the latest cybersecurity developments and research that an actor may have, defense becomes that much easier.

Before you leave: Cyber-war or cyber-hype?

Leave a comment