What does a logic bomb attack do?

As the Stuxnet example demonstrates, a logic bomb attack gets its name because the malicious code activates when some logical condition, or trigger, is satisfied: It can be explained as an if-then statement. There are two forms a logic bomb’s trigger can take: positive or negative. A positive trigger goes off if something happens, whereas a negative trigger goes off if something failsto happen. Stuxnet is a positive trigger: The worm analyzes the underlying hardware and if it matches the system it was designed to attack, it spins any attached uranium centrifuges fast enough to destroy them. There are other, somewhat more pedestrian types of positive triggers as well: A logic bomb may go off if someone attempts to open a specified file, for instance, or copy data from one directory to another.

A negative trigger is best undersood in terms of the sort of insider threats we noted as a common use case for a logic bomb. For instance, a disgruntled employee, suspecting they are about to be fired, may plant a logic bomb on the company servers that will erase valuable corporate data at 10 a.m. unless its creator intervenes. As long as the employee maintains access to the system, they can stop the bomb from going off, which may give them leverage in the dispute with their employer — or at least leave them satisfied that their firing will be followed by chaos once they’re gone.

The actual behavior of a logic bomb can range widely. When it comes to the insider threats that make up much of the logic bomb landscape, a few types of attack are particularly common, including file or hard drive deletions, either as a ransom threat or act of revenge, or data exfiltration, as part of a plan to use privileged information in future employment.