In a world where data leaks and breaches are rampant, it can be beneficial to take pause and refocus. Sabotage has been an effective strategy historically, rearing its’ ugly head in the cyber warfare realm with the discovery of the Stuxnet worm. For anyone who is interested, I’m going to throw a plug to the Darknet Diaries Podcast on Stuxnet.
Often times we get caught up in the high profile attacks that result in ransoms, data destruction, and credential theft. It may be bold to say but those vectors seem too short sighted to accomplish a long term goal. Corporations and governments don’t operate in a 24-48 hour window, but instead measure end states in years or even decades. In order to understand this, we must explore the case for sabotage.
The Goal
If you are measuring your own goals in the time frame of years, not days, it’s safe to assume that your competitors are as well. As defined by Wikipedia, Sabotage is a deliberate action aimed at weakening a polity, effort, or organization through subversion, obstruction, disruption, or destruction.
From a threat’s perspective, you’re now tailoring your attack in relatively uncharted waters. Aiming to regain the edge in research and development? Are you trying to waste people’s time, or the organization’s resources? Maybe there’s a merger and acquisition agreement in development, and you want to make the target less desirable. Hey, why not bankrupt them in their entirety? For hacktivists, it would be pretty damning to have falsified data on a target’s information systems!
Sabotage begins to look like a better solution than the dumpster fires making the news when you have the advantage of time. We’re gaslighting an entire organization.
The Methods
In 2008, the CIA declassified the Simple Sabotage Field Manual (recently modified to an archive.org link) (PDF), which outlines ways for a potential saboteur to participate in a war effort. Since that manual was written in 1944 we need to smash a few brain cells together and apply this to a modern cyber scenario. Taking a slow, insidious approach to hindering productivity was a true mental exercise!
- Consuming a percentage of keystrokes, causing inadvertent typos
- Buffering keystrokes or mouse clicks and introducing a barely-noticeable artificial delay
- Transposing digits when entered in sequence
- Directly modifying characters and numbers
(social security numbers, IP addresses, e-mail addresses, etc.) in files in a way that doesn’t violate the standard - Mangling HTTP form submissions with typos, modifying check boxes or radio fields, etc.
- Changing current window focus to another open application
- Removing single pages, cancelling or doubling documents sent to the print queue
Take a look at that small list of ideas, implement some sort of low frequency randomness to their trigger, and keep reading.
The Impact
Every large organization has a dependence on measurables. They’re delivered to managers to justify your job, to department heads to justify the division, and to the C-Suite to justify funding. Those numbers are critical and come in multiple forms.
- Increase in productivity or efficiency
- Cost savings
- Increase in accuracy
- Sales improvements
- Decrease in dependency
- PR highlights
What happens when those numbers trend in the opposite direction though is what causes concern. Suddenly, IT is increasing expenditures replacing laptops and keyboards. Human resources is doubling the amount of time spent reviewing their own work. Finance is working overtime to audit workbooks, time sheets, and databases. Configuration files are putting computers on the wrong network segment. People are getting frustrated at their own apparent incompetence, and most of all, resources are being wasted.
The Targets
Considering what sectors would be most impacted by this is nearly futile, but let’s mention a few for the sake of discussion.
Police departments and medical institutions would be a terrifying target due to the possible repercussions of filing inaccurate reports. It’s not unfathomable to be prescribed diabetes medication because your blood sugar level was measured at 119, but logged as 191. That speeding ticket that was entered as 69 in a 55 turned into 96 in the same speed zone. Both of these situations seems like a public relations nightmare.
You know that poor sap who’s starting to get old, but knows the logistics of the company inside and out? Why has he been marking so many freight orders for overnight delivery? He must be losing his mind, spending thousands of dollars unnecessarily twice a month!
Have you seen how quickly that new AI car company broke into the market? It seems like their competitor just keep getting their measurements wrong, and they’ve been pushing out updates to the self driving system so much slower. I wonder what happened to them!
And what do you mean your bank is conducting another audit, didn’t they just do one a couple weeks ago? The SEC must really have their eye on them. It doesn’t help that the branch closest to work here is constantly opening late due to “technical issues”.
Didn’t marketing just spend the past 3 months conducting A/B testing on the new sales funnel? How is it the results were so positive, yet our sales are down 14% two quarters in a row?
In Conclusion
Implemented properly with a stealthy delivery mechanism, malware like this could go undetected and wreak havoc on a host network indefinitely. If the threat actor has done proper reconnaissance and is tailoring the malware to very specific software, computer terminals, or personnel, the results may be unmeasurable.
I’ve since abandoned the idea of developing a proof of concept for this idea out of a lack of time and resources. That being said, I may revisit the idea once I become more proficient with some the relevant technology to make it happen.
I want your feedback. What kind of impact would some of those methods have on your organization, and what seems like it would be the most damaging?