Killware - a new highly dangerous cyberthreat according to US security official

Ransomware has been the talk of the cybersecurity sector for well over a year, with 2021 bringing a significantly increased level of attack frequency and intensity. Ransomware attackers look to exploit a networks’ weaknesses for financial gain, with one group amassing over $100,000,000 during the first half of 2021 alone. But what happens when the desired impact of the attack is more sinister?

Killware is defined as a cyberattack that, by either direct or indirect means, aims to cause serious or fatal harm to its victims. In an interview with USA Today, Alejandro Mayorkas of US Homeland Security described a mitigated killware attack that took place in February 2021 against Oldsmar, Florida, which hijacked a water treatment plants network with the intent of increasing the plants' levels of sodium hydroxide, also known as lye or caustic soda, from 100 parts per million to 11,100 parts per million. In low concentrations sodium hydroxide is used to regulate the PH level of drinkable water, but at the levels intended by the hacker it would severely damage any human tissue it came in to contact with.

Mayorkas stated that the attack "should have gripped our entire country” but thankfully the change was spotted by the on-duty operator before any damage was done, and even if it had gone unnoticed initially then the PH alarms located within the water treatment plant would have alerted staff long before it would be sent for public consumption – but it does pose the question, if someone is able to breach the network enough to even attempt changing the levels is it plausible that they may be able to disarm the PH alerts as well?

The Homeland Security official also referred to the Colonial Pipeline ransomware attack that took place in April 2021 which lead to massive fuel shortages throughout the east coast of America, before concluding that both the Colonial Pipeline and Oldsmar incidents are part of a wider indication that malicious hackers are looking to target key elements of a nation's infrastructure to cause harm to its constituents. Mayorkas continued by stating that “the attempted hack of this water treatment facility in February 2021 demonstrated the grave risks that malicious cyber activity poses to public health and safety.’’ And concluding that ‘’the attacks are increasing in frequency and gravity and cybersecurity must be a priority for all of us.’’

Ransomware poses problems for data safety and financial pressure, but killware could cost lives. Recent research has named healthcare, education, and government sectors as high-risk and high-frequency targets of cyber attacks, and private-sector cyber security experts have warned that these cyber-physical security incidents that target national infrastructure could have fatal consequences if not properly and promptly mitigated.

Wam Voster, senior research director at security firm Gartner, noted that the rise of consumer-based technology products such as autonomous vehicles and smart thermostats has created a society that operates in a “ubiquitous cyber-physical systems world”, creating a myriad of threats.

Gartner further reported that there is enough evidence of dangerous attacks that by 2025 “cyber attackers will have weaponized operational technology environments to successfully harm or kill humans.” Voster then wrote in a related article that “the attack on the Oldsmar water treatment facility shows that security attacks on operational technology are not just made up in Hollywood anymore.”

In the case of Oldsmar, the killware intended to cause serious bodily harm to a significant amount of the population and although the intended outcome was clear, the reasoning for the attack is still somewhat of a mystery. The target for Oldsmar was large, but smaller ripples of killware and ransomware could seriously affect victims on a more individual basis by cancelling appointments or disrupting medical monitoring.

In July 2019 Springhill Medical Centre in Mobile, Alabama, was the victim of a ransomware attack that caused their network to shut down for nearly eight days. A subsequent lawsuit against the hospital implied that this attack caused the death of a newborn child, who suffered brain damage during birth complications. The lawsuit alleges that the ransomware attack caused significant disruption to how the nurses monitored the child’s heart rate which resulted in the death 9 months later. In this case, the hospital denied any wrongdoing and that this death was not the fault of the hospital or the nurses working that night.

Although in this instance the hospital argued that they were not at fault, a later study in 2021 conducted by the Cybersecurity and Infrastructure Security Agency (CISA) and Ponemon Institute proposed direct links between patient mortality and ransomware attacks. According to the excess death data in Vermont during a significant ransomware attack on the UVM Health Network in Burlington, the CISA team found that there was a correlation between hospitals affected by ransomware and patient deaths, with them reaching the inflection point between two and six weeks faster than nearby hospitals not experiencing ransomware attacks.

Chief Information Security Officer at Vermont’s North Country Hospital, Kate Pierce, said "in our rural facility, it is not a far stretch to see the connection from cyberattacks to patient deaths, as the next acute care facility is over 40 miles away. The additional time it would take a patient to arrive at an alternate site could definitely be the difference between life and death."

In some cases it may be difficult to trace the line that differentiates collateral damage caused by ransomware from the sinister intent seen in killware, but one thing is for certain – when it comes to national cyber security, there is no room for mistakes.