Many cyber attacks are launched instantly at the timing choice of the attacker. These are launched over the network and can be either a one-off or a running campaign. Some classes of attacks, however, are delayed actions and lie in wait for a trigger of some sort. The most obvious of these are attacks that need user interaction. Phishing and XSS attacks are excellent examples of this. Both are prepared for and launched by the attacker but only take effect when the user triggers the trap.
Some attacks are delayed actions but require a special set of circumstances to trigger. They can be entirely safe until triggered. These circumstances can be altogether automatic rather than human-activated. These types of attacks are called logic bombs.
The Basics of a Logic Bomb
The classic concept of a logic bomb is a simple date trigger. In this case, the logic bomb won’t do anything until the date and time are right. At that point, the logic bomb is “detonated” and causes whatever harmful action it is supposed to.
Deleting data is the standard go-to of logic bombs. Wiping devices or a more limited subset of data is relatively easy and can cause a lot of chaos, mainly if mission-critical systems are targeted.
Some logic bombs may be multi-layered. For example, there might be two logic bombs, one set to go off at a particular time and one that goes off if the other is tampered with. Alternatively, both might check if the other is in place and go off if the other is tampered with. This provides some redundancy in having the bomb go off but doubles the chance of the logic bomb being caught in advance. It also doesn’t reduce the possibility of the attacker being identified.
Insider threats almost exclusively use logic bombs. An external hacker could delete stuff, but they can also benefit directly by stealing and selling the data. An insider is typically motivated by frustration, anger, or revenge and is disillusioned. The classic example of an insider threat is an employee recently informed that they will lose their job shortly.
Predictably, motivation will fall and, likely, job performance. Another possible reaction is a drive for revenge. Sometimes this will be petty things like taking unnecessarily long breaks, printing many copies of a resumé on the office printer, or being disruptive, uncooperative, and unpleasant. In some cases, the drive for revenge can go further to active sabotage.
Tip: Another source of insider threat can be contractors. For example, a contractor may implement a logic bomb as an insurance policy that they’ll be called back in to fix the problem.
In this scenario, a logic bomb is one possible outcome. Some sabotage attempts may be pretty immediate. These, however, are often somewhat easy to link to the perpetrator. For example, the attacker might smash the glass wall of the boss’s office. The attacker could go to the server room and rip out all the cables from the servers. They could crash their car into the foyer or the boss’s car.
The problem is that offices generally have many people who might notice such actions. They can also feature CCTV to record the attacker committing the act. Many server rooms require a smart card to access, logging exactly who entered, exited, and when. Car-based chaos may also be captured on CCTV; if the attacker’s car is used, it actively negatively impacts the attacker.
Inside The Network
An insider threat might realize that all their possible physical sabotage options are either flawed, have a high likelihood of them being identified, or both. In this case, they might give up or choose to do something on the computers. For someone technically skilled, especially if they’re familiar with the system, computer-based sabotage is relatively easy. It also has the lure of appearing challenging to attribute to the attacker.
The lure of being difficult to pin on the attacker comes from a few factors. Firstly, no one is looking for logic bombs, so it’s easy to miss them before it goes off.
Secondly, the attacker can deliberately time the logic bomb to go off when they are not around. This means that not only do they not have to deal with the immediate aftermath, but it “can’t be them” because they weren’t there to do it.
Thirdly, especially with logic bombs that wipe data or the system, the bomb can delete itself in the process, potentially making it impossible to attribute.
There are an unknown number of incidents where this has worked out for the insider threat. At least three documented cases of the insider successfully setting off the logic bomb but being identified and convicted. There are at least four other cases of attempted use where the logic bomb was identified and “disarmed” safely before it went off, again resulting in the insider being identified and convicted.
A logic bomb is a security incident where an attacker sets up a delayed action. Logic bombs are almost exclusively used by insider threats, primarily as revenge or an “insurance policy.” They are typically time-based though they can be set up to be triggered by a specific action. A typical result is that they delete data or even wipe computers.
Insider threats are one of the reasons that when employees are let go, their access is immediately disabled, even if they have a notice period. This ensures that they can’t misuse their access to plant a logic bomb, though it doesn’t provide any protection if the employee had “seen the writing on the wall” and already set the logic bomb.