The U.S. Defense Intelligence Agency claimed it wanted to re-engineer enemy malware to be used as offensive cyberweapons,...
but experts said this may be less of a practical plan of action and more a signal of intent to shift away from a defensive posture.
Lt. Gen. Vincent Stewart, director of the U.S. Defense Intelligence Agency, expressed this interest in offensive cyberweapons while speaking at the U.S. Department of Defense Intelligence Information Systems conference in St. Louis.
"Once we've isolated malware, I want to re-engineer it and prep to use it against the same adversary who sought to use against us," Stewart said. "We must disrupt to exist."
Jonathan Sander, CTO at STEALTHbits Technologies Inc., based in Hawthorne, N.J., said calling these comments about offensive cyberweapons "a plan is reading too much into the press conference."
"The premise of the comments [was] that the U.S. has been in a defense-only posture, but the NSA [National Security Agency] leaks of cyberweapons like EternalBlue show that's far from the truth," Sander told SearchSecurity. "It's clear the U.S. has an active and capable red team that's finding and weaponizing its own cyber assets. Of course, the military will also capture, analyze and learn from any weapons used against it. But that's less news and more something we should all hope they are doing anyway."
Mounir Hahad, senior director of Cyphort Labs in Santa Clara, Calif., agreed that Stewart's comments were "intended to convey intent to be more active than the passive past."
"There is no advantage gained by the U.S. government in reusing adversary-developed malware; the U.S. is plenty capable of developing its own and inflicting whatever damage it wants," Hahad told SearchSecurity. "Furthermore, the targets may be completely different, technologically speaking, so a weapon that works against U.S. targets may be ineffective against a target at a different level of automation."
The risks of re-engineering malware
Jake Williams, founder of consulting firm Rendition InfoSec LLC in Augusta, Ga., said a plan to re-engineer offensive cyberweapons would be ineffective.
"This is the general idea of throwing the grenade back at the person who threw it at you, [but] it's certainly more effective with grenades than with malware," Williams told SearchSecurity. "Reverse-engineering is a much more specialized skill than programming, so the effort required to do this is much higher than simply developing malware in the first place."
Georgia Weidman, founder and CTO of Shevirah, a penetration testing firm based in Herndon, Va., said our government should be analyzing the offensive cyberweapons samples obtained "to further protect ourselves from future similar attacks," but noted there are major risks in attempting to repurpose that malware.
Georgia Weidmanfounder and CTO, Shevirah
"There are many instances of exploit code freely available on the internet that purports to attack an enemy, but instead attacks the machine that attempts to run the attack, making a victim of the attacker," Weidman told SearchSecurity. "Sophisticated malware often goes to great lengths to make it difficult for malware analysts to fully understand what it is doing, obfuscating its code to mislead analysts. Or, it may behave differently in different environments, attempting to detect when it is being analyzed and changing its behavior accordingly. Simply ripping out the target information in a piece of malware and sending it back out could have devastating, unintended consequences if the malware is not fully understood."
Williams also noted that the practice of re-engineering offensive cyberweapons wouldn't be new, because the CIA "mined malware for capabilities as part of their UMBRAGE program."
"In most cases, this isn't a question of patching. Most malware doesn't use any zero-day exploits. The real issue is signatures. We would generally assume that the adversary who is deploying malware has signatures in place to detect their own malware," Williams said. "Any re-engineering effort would have to include some programs to obfuscate the signatures of the malware itself. The problem with this is that the adversary you are throwing the malware back at knows more about the malware than you do, and you don't know what specifically in the malware they are alerting on. A much better plan is to write your own malware from scratch."
Weidman said the government shouldn't trust it can control offensive cyberweapons that it didn't create.
"Malware, once released from its cage, has no moral compass when attacking intended victims," Weidman said. "While some malware, such as the famous Stuxnet, went to great lengths to only attack intended targets, spreading far and wide but only running its destructive payload under specific circumstances, there is very likely to be collateral damage in a malware attack."
Learn why the Stuxnet flaw is still the most exploited after seven years.
Find out if a new encryption trick can prevent reverse-engineering.
Get info on the risk posed by sophisticated malware evasion techniques.