Logic bomb attacks: 4 famous examples
- 02 June, 2022 07:30
A logic bomb is a piece of code left lying in wait on a computer that will execute under certain specified conditions and take actions the owner of that computer would consider malicious. The actual code that does the dirty work, sometimes referred to as slag code, might be a standalone application or hidden within a larger program.
While logic bombs are sometimes delivered via the same techniques that can infect your computer with viruses or other malware, more often they're planted by insiders with privileged access to the system being attacked—and can therefore be quite tricky to detect.
Are logic bombs viruses?
A logic bomb isn’t a virus, but it could be spread by one. Unlike a virus, the distinguishing characteristic of a logic bomb isn’t how it spreads, but how it’s triggered.
A quick note on terminology: Malware comes in different types, including viruses, worms, and Trojans, that are generally defined by how they spread and how they infect computers; the details vary, but by and large they are designed to find victims semi-autonomously.
The part of a piece of malware that actually carries out the attack, known as the payload, can work in a number of different ways, and some of these payloads are themselves logic bombs.
For instance, the famous Stuxnet worm, created by U.S. and Israeli intelligence to sabotage the Iranian nuclear program, has a payload that will only activate if it determines that it's running on a computer that is part of a specific type of uranium enrichment facility.
That said, not all malicious code is malware, and not all logic bombs are delivered via viruses or their kin. In fact, as we'll see in our examples, many logic bombs are hidden inside ordinary computer programs by the people who wrote those programs themselves.
What does a logic bomb attack do?
As the Stuxnet example demonstrates, a logic bomb attack gets its name because the malicious code activates when some logical condition, or trigger, is satisfied: it can be explained as an if-then statement. There are two different forms a logic bomb's trigger can take, either positive or negative. A positive trigger goes off if something happens, while a negative trigger goes off if something fails to happen.
The Stuxnet example is a positive trigger: the worm analyses the underlying hardware on which it's running and if it matches the target system it was designed to attack, it spins any attached uranium centrifuges fast enough to destroy them. There are other, somewhat more pedestrian types of positive triggers as well: a logic bomb may go off if someone attempts to open a specified file, for instance, or copy data from one directory to another.
A negative trigger may be a little harder to understand at first, and maybe the best way to think about it is in terms of the sort of insider threats we noted as a common use case for a logic bomb. For instance, a disgruntled employee may suspect that they are about to be fired, and so will plant a logic bomb on the company servers that will erase valuable corporate data at 10am unless its creator intervenes.
As long as the employee can maintain access to the system, they can stop the bomb from going off, which may give them leverage in the dispute with their employer—or at least leave them satisfied that their firing will be followed by chaos once they're gone.
As these examples illustrate, the actual behaviour of a logic bomb can range widely. When it comes to the insider threats that make up much of the logic bomb landscape, a few types of attack are particularly common, including file or hard drive deletions, either as a ransom threat or act of revenge, or data exfiltration, as part of a plan to use privileged information in future employment.
But truly, the things a logic bomb can do—the then that comes after the if—are only limited by the nefarious attacker's skills and imagination. For instance, one enterprising soul managed to hide a cryptojacking logic bomb in public domain Python libraries that surreptitiously mined Bitcoin for the attacker's benefit.
Time bomb vs. logic bomb
You'll sometimes see references to time bombs as a type of cyberattack; these are a subset of logic bombs, although some might consider them a closely related attack. A time bomb is a logic bomb whose trigger goes off at a specific time. In some ways, this might be considered the simplest type of logic that can go into a logic bomb.
The purpose of writing this kind of trigger can be similar to a real, physical exploding time bomb: to give the attacker enough time to clear out of the area (in this case, the computer or network where the bomb was planted) to make it less likely for them to be affected or fingered as the attacker.
The example we gave above of a negative trigger is a more sophisticated variation on the time bomb concept, as its time deadline can be postponed by user action to create a sort of "dead man's switch."
Are logic bombs always malicious?
Logic bombs are, by definition, malicious. The "bomb" in "logic bomb" is of course metaphorical, although in cases like Stuxnet that target operational technology, they can wreak havoc on the physical world. But even all-digital logic bombs get that name because they're destructive.
There are, of course, other types of programs that might be superficially similar to logic bombs but not harmful—for instance, a program you've downloaded as a free trial might stop working after 15 days. But because you were told that when you downloaded it, that isn't considered a logic bomb.
How to detect and prevent logic bomb attacks
Logic bombs are a particularly pernicious type of attack because the attack code by its very nature may lie dormant for an extended period of time. In general, it's difficult for even the best endpoint security software to sniff out code that isn't executing.
Since some logic bombs are delivered via malware, one way to keep them off your systems is to follow anti-malware best practices:
- Watch out for phishing emails, and don't open or download attachments if you're not absolutely certain where they came from.
- Similarly, don't download or install applications unless they come from a trusted source. That includes browser navbars, which are a common malware vector.
- Keep your computer safe with updated antivirus/endpoint security software.
But as we've seen, fighting malware isn't enough to defuse all potential logic bombs.
The cryptominers we mentioned above are an example of what's known as a supply chain attack, in which an organisation's reuse of third-party code (open source libraries, in this case) becomes a problem when that code has a logic bomb hidden within it. And, of course, no antivirus program can protect you from a determined insider threat.
The best way to sniff out malicious code that's being embedded in your own software, either deliberately by a disgruntled employee or inadvertently in the form of a third-party library, is to bake secure coding practices, like those that are part of the DevSecOps philosophy, into your development pipeline.
These practices are meant to ensure that any code passes security tests before it's put into production, and would prevent a lone wolf insider attacker from unilaterally changing code in an insecure way.
4 famous examples of logic bomb attacks
In 1982, a massive explosion disrupted the flow of natural gas in an important pipeline traversing Siberia. For years, a rumour has persisted that this was an act of CIA sabotage.
The story goes that U.S. intelligence agents discovered that their Soviet counterparts were attempting to steal the computer code necessary to automate their pipeline from the West, since the native Soviet software industry wasn't up to the task; so the Americans allowed the Soviets to make off with code with a logic bomb hidden in it that resulted in the destruction of the pipeline.
This sabotage has sometimes been called the original logic bomb, although it's never been confirmed by any of the parties involved, and there's some evidence that the destruction may have just been the result of good old-fashioned incompetence.
While we may never know the truth of what happened to that pipeline, there are plenty of well-documented logic bomb attacks:
- In late 2001, a systems administrator quit his job at UBS and only hours later bought numerous "put" options that would allow him to profit if his former employer's stock declined by March 15, 2002. The logic bomb he left behind went off on March 4, damaging numerous systems at UBS. He was caught and sentenced to years in prison, and was forced to pay millions in restitution.
- In 2003, a sysadmin, fearful that his employer Medco Health Solutions was planning to fire him, planted a logic bomb on their servers that would've deleted huge swaths of data. He set it to go off on his birthday in 2004, but it failed due to a programming error, so he changed the trigger date the following year; it was discovered and disabled a few months in advance, and he was sentenced to 30 months in jail.
- In 2008, a programmer was terminated from his contract job at U.S. mortgage giant Fannie Mae. He managed to plant a logic bomb before his network access was cut off that was intended to wipe out all of the company's data, but the malicious code was discovered and deactivated in time. Fannie Mae programmers traced the malicious script to him through network logs, and by comparing the contents of a directory that he created on his laptop the day he was terminated.
- Between 2014 and 2016, a contractor working for Siemens in Pennsylvania put logic bombs into the spreadsheets that Siemens used to manage orders, which he was then paid to come in and fix, racking up tens of thousands of dollars in fees. The bombs were discovered when he went on vacation and gave the passwords for the spreadsheets to Siemens staff so they could update them while he was out of town.
Logic bomb code
If you'd like to see the code for a simple example of a logic bomb, there's a GitHub repository for the Christmas Logic Bomb, written in Python. This code is a time bomb that activates on Christmas Day and displays a festive message—it doesn't do any harm, but it's a good way to see how this kind of attack works.