Given the surge of incidents within the past decade, many people are becoming familiar with ransomware and data breaches. However, a new type of cyberattack known as killware has emerged in recent years. It's now a major security issue for organizations. But what does the term "killware" actually mean? Let's take a look:
Killware and industries that are vulnerable to these attacks
Security Magazine describes killware as a cyberattack that is deployed with the intent of producing real-life risk to communities through the manipulation of operational technology (OT). Put simply, killware attacks can be lethal or physically damaging to human life because they target critical infrastructure.
For example, suppose that a city's public transportation system gets hacked, and services are halted. The transit company can handle the situation by fulfilling the attackers' ransom request so that public safety isn't at risk, but it's likely that someone may get hurt while the services are stopped.
As businesses continue to digitalize operations, threat actors will have more opportunities to execute killware attacks. Especially given their ability to access systems more easily. The U.S. Department of Homeland Security (DHS) suggests that hospitals, power grids, banks, police departments, etc. are considered primary killware targets because thousands of people can be put at risk. Essentially, highly networked industries and organizations are more susceptible to these types of attacks.
Killware vs. malware: What's the difference?
Both killware and malware can seem fairly similar in nature. However, they're different in terms of their end goals and the ways in which they are defined. Different forms of malware are typically defined based on the tactic used (e.g., phishing or crypto jacking). Killware is generally defined by its ultimate outcome and any type of method such as ransomware can be used in the execution process. In addition, most cybercriminals undertake malware campaigns hoping for monetary gain. The goal of Killware attacks, however, is to inflict physical harm on others.
Real-world examples of killware attacks
In 2020, a major hospital in Germany, University Hospital Düsseldorf, was struck by a ransomware attack that caused a collapse of the digital infrastructure that the facility depends on to assign doctors and organize treatments. A 78-year-old woman who was in dire need of medical attention passed away after emergency responders were forced to transport her 32 kilometers away to another hospital. German authorities later revealed that the hackers behind the attack made personnel at University Hospital Düsseldorf reject an ambulance that could've saved the patient.
Another killware incident occurred in early 2021 when bad actors managed to get access to a water treatment plant in Oldsmar, Florida. Intruders increased sodium hydroxide concentrations in the water to dangerously high levels (from 100 parts per million up to 11,100 parts per million) just days before the Super Bowl was scheduled to occur (which was happening about 15 miles away from the site of the attack). Fortunately, operators responded quickly and were able to regain control of the systems within minutes, so no illnesses or injuries were reported. Employees at the organization shared remote access credentials with each other, allowing the hackers a way into the facility's network.
The future of killware
As offsite and hybrid workforces continue to grow at a rapid rate, malicious attacks will only continue to increase. Research by Gartner indicates that by 2025, cybercriminals will have the ability to "weaponize OT environments" in order to carry out successful killware attacks against humans.
Steps towards mitigating the impact of a killware attack
If an organization experiences a killware attack, there are a few approaches to help ensure that the situation doesn't escalate:
- Deactivate and disconnect all OT devices from their power sources so that further damage does not occur.
- Factory reset your company's devices to prevent the hacker from regaining access to them after turning back on.
- Contact the manufacturer of the OT devices to report the incident. The supplier may be able to provide details for the replacement process.