Today's APTs are Creating Tomorrow’s Commodity Malware.

Nationally funded teams have more resources to develop offensive cyber security capabilities. It is not fear mongering to assume there are existing deployments that have not been activated. As often stated, “people have friends, countries have interests.” Countries are not waiting until a conflict to develop these capacities just like militaries are not waiting to build physical weapons. Their readiness may determine victory or defeat.

Every compromise disclosure identifies the adversary as ‘sophisticated.’ It does not matter if the victim was a small private firm or a large government organization. If the infection vector was a default password or zero-day with custom malware, the offenders are referred to as ‘advanced’ in public statements. The terms are misused and abused.

Malware that require substantial R&D—the real sophisticated and advanced capabilities built from dedicated resources—are not leveraged for tactical operations. They are reserved for strategic advantages and their usefulness is contingent on their secrecy. Once discovered through use, creator moonlighting, or other means, they are open to the public’s manipulation and reuse. Exploits, vulnerabilities, and malware are all given new life once in the public domain and can be leveraged for other motives.

Take EternalBlue and DoublePulsar as examples. These were developed by focused organizations with dedicated resources and used sparingly. Once publicly exposed, both went on to have prolific careers in ransomware and other commodity campaigns. Almost all networks running Windows became potential victims.

Anytime there is justification to activate sophisticated malware, the toolsets may also become public. Some cybersecurity companies are desperate for the marketing opportunities and release everything as soon as discovered. The public needs to be informed and enabled, but source code and full tools should not be released in many instances. Malicious individuals across the world will gain access to these same tools and knowledge. This means network defenders must be aware of new developments to protect their networks today and in the future. Even if you are an initial target, these exploits will likely be leveraged in other campaigns.

The Russia/Ukraine conflict is a world event creating such a scenario. Russia is believed to have substantial cyber capabilities and there is evidence they will conduct offensive campaigns. If you work in cybersecurity in any capacity, stay vigilant. The threat landscape can quickly change in such times. Any new capabilities exposed should be considered part of your threat landscape regardless of whether you are in the same business.

What the world is seeing now, luckily, doesn’t happen often. Things may become noisy, and information may change. Stay abreast of trusted news outlets and your network. While you may not be in the scope of the current conflict, your ability to adapt defense to revealed capabilities will help you avoid becoming collateral damage next year. Today's APTs are creating tomorrow’s commodity malware.