Malware in the media – June’s “fire in the hole”

Fire in the hole is a warning that an explosion is about to occur. In old days coal miners used to yell this three times before igniting dynamite. In those days dynamite was used to break rock and dig tunnels to excavate coal. The military adopted this expression to warn of an impending explosion.

This month’s initial candidate for this blog was an adware with a name related to explosions ‘Fireball’. Fireball is operated by a Chinese digital marketing agency. This browser hijacker is bundled with signed software and turns infected PC’s into so called zombies (to generate ad-revenue). According to claims of Checkpoint Fireball had infected over 250 million PC’s. The estimate of Checkpoint was based of the number of page visits to which the browser hijacker redirected infected PC’s to.

Microsoft posted an article explaining that they identify the Fireball adware family since 2015. The monthly data gathered by the Malicious Software Removal Tool (MSRT) from 500 million PC’s worldwide showed a much lower spread of infection. From September 2016 until June 2017, less than 11 million Fireball infections were neutralized by the MSRT. While the threat is real, the reported impact of this adware family may be overblown. 

Therefore this month’s malware in the media title goes to infrastructure attacking malware. June was the month in which Ukraine and the successors of Stuxnet dominated the media. First ‘Industroyer’ and ‘Crash Override’ were discovered by ESET (Industroyer) and Dragos (Override) six months after they had caused an outage in Ukraine. What made this malware special was that it specifically, autonomously and automatically targeted electricity infrastructure (McAfee).

Within a fortnight ‘Petya.A or NoPetya’ another offspring of Stuxnet wrote headlines around the world. This malware had compromised the servers of accounting software. IT-systems of clients were infected by an update pushed out by these servers containing this NoPetya malware. Again Ukraine was hit hard (ESET). Soon Comae Technologies and Kaspersky Labs discovered that this malware was no ransomware but a disk wiper with no intend or option to recover the deleted files.

This behaviour and the coincidence that ‘Petya.A or NoPetya’ is the diminutive of ‘Pjotr’ or ‘Petro’  which happens to be the first name of the current President of Ukraine (Petro Poroshenko) fuelled speculations of cyber warfare. Speculations or not it is a clear warning that companies and governments have to rethink their digital defences for critical infrastructure. We would like to finish with a quote of ESET Senior Malware Researcher Anton Cherepanov: “The recent attack on the Ukrainian power grid should serve as a wake-up call for all those responsible for the security of critical systems around the world”: Fire in the hole . . .