The Delivery Mechanism
This part of the cyber weapon ensures it hits its target - or reaches the right client, hardware, or network. The delivery can be done using an e-mail, USB-memory, CD-ROM, or by physically connecting to the server, client, TV, or similar devices. This is something which the Vault7 leaks from the CIA showed, not entirely unusual that HUMINT and SIGINT resources were used. The delivery might happen in the form of an implant that is installed when the equipment is sent to the customer. To reach its final target, which might be further into the network, the zero-days, or code, can be used to detect and bypass so-called airgaps. Networks that are sensitive and not connected to the internet, for example.
The warhead makes sure that the goal of the cyber weapon is completed. It can be to influence a process in a SCADA system or perhaps destroy vital parts in systems that are crucial for the community. It could also exfiltrate sensitive information from the target system.
The Communication Mechanism
This part is not always necessary but makes it possible to (using a unique ID) “call home” and notify that the cyber weapon has reached its target or completed a sub-goal. The communication part is important if the cyber weapon is hidden during an extended period and works to activate the warhead on command.
To make the discovery by network forensics and intrusion detection systems more difficult, popular sites such as Dropbox, Twitter, or Instagram can be used over TLS encrypted communication.
Steganography, where messages are exfiltrated with the help of pictures, has even been observed, including communication with IP-addresses where a satellite link is used, and the antagonist has had the opportunity to read the communication with the help of SIGINT or other equipment.
If the communication mechanism is already using existing infrastructure to update software or check if new versions are available, the process of detection gets increasingly more difficult. The communication mechanism can also be used to download and activate new modules, droppers, etc.
One of the oldest and most common methods is obfuscating or encrypting. Even relatively simple things such as modularity can make it difficult to see the whole of a cyber weapon, for example, sniff-functions can be present in a module, or key logs in a module, etc.
There are even environmental keyed payloads where a module can be encrypted with a key that is only located in the target network or system. Another important aspect for those developing cyber weapons is OPSEC. Since everything leaves a trace and something that is increasingly common is false flagging. Traces can lead towards one country, when in fact it is ’developed’ in a completely different one. Language, time zones, etc. can be changed.
Sometimes the warhead is located in the unit's RAM and disappears if the unit crashes or restarts. Creators of cyber weapons want it to stay put for a longer time and there are an unbelievable amount of ways to hide.
A difference between, for example, WannaCry and a cyber weapon are that the objective of the cyber weapon is to only propagate within a smaller area. It can be a smaller organization or network. A smaller spread can make eventual detection more difficult. Propagation can be a must in the delivery, and then maybe there is a gap between the process network/secret network and the internet.
Cyber weapon developers put resources on developing weapons that will remain hidden. The weapon deletes itself when the mission is complete, and there might be a built-in counter that automatically erases the weapon once completed.