Posted March 15, 2018
The damaging wiper attack last June carried a clear message for global organizations: you need to re-prioritize your security spending.
About a month after the NotPetya malware outbreak in late June, 2017, I was on the phone with someone I’ll call “Stacy,” who worked for a freight forwarding firm in the U.S. At the time we spoke, Stacy was desperate to locate a very important piece of equipment known as a “blow out preventer” (or BPO) that her company had contracted to ship to a customer in Norway for use on one of the offshore oil platforms there. At the time, the BPO had gone missing. That is surprising, if you’ve ever seen one. They’re massive pieces of equipment that get trucked around on 40-foot flatbed trucks.
Stacy knew where her shipment was: sitting on the dock in Bremerhaven, Germany, where it had landed right around the time NotPetya, began spreading on June 27th. The problem was that her shipping company, A.P. Møller-Maersk, didn’t. Instead, it was scrambling to respond to the attack.
We now know that, behind the scenes, Maersk’s IT staff mounted a heroic effort: reinstalling over 4,000 servers, 45,000 PCs, and 2500 applications over the course of ten days in late June and early July 2017, according to statements by that company’s CEO at the World Economic Forum in Davos in January. The virus cost Maersk more than $300 million dollars to recover. But the effects of the crippling attack rippled out to companies large and small, as well. Stacy’s firm had to spend money having the blowout preventer surveyed in Bremerhaven to make sure it was not damaged by sitting on the dock. Firms that were lined up to transport the part to the offshore rig in late June also lost business. The oil rig the part was destined for was kept idle waiting for the part’s arrival. The cost to the global economy are unknown – but are certain to total billions – if not hundreds of billions of dollars.
What is the moral of this story for executives at firms like Stacy’s? Not falling for the next NotPetya means figuring out what those weaknesses were and addressing them. But it also requires firms to stay ahead of threats so that they can anticipate new attacks, not merely respond to them.
What were NotPetya’s lessons? Here are some to consider:
Reimagine your risk
Conventional wisdom has been that cyber attacks – though disruptive- are manageable. Outbreaks like NotPetya and WannaCry challenge that established wisdom.
Both attacks were not merely disruptive but destructive: wiping out systems they infected, rather than simply hijacking them or holding their data ransom. The operational impact on the affected companies was severe. Maersk, for example, was forced to revert to pen and paper to run its business for days while it rebuilt its IT systems from scratch.
“Imagine a company where a ship with 20,000 containers would enter a port every 15 minutes, and for ten days you have no IT,” CEO Snabe said at Davos.
The lesson for your firm is clear: you need to reimagine the risks to your firm and its operations. In addition to formulating clear contingency plans for major outbreaks (robust, offsite backup and recovery plans certainly beat pen and paper), your firm should re-evaluate its assumptions about worst case scenarios as it weighs current and future information security investments and add some zeros to the “cost of doing nothing.”
Think holistically about threats to your organization
Maersk wasn’t the only global firm affected by NotPetya. FedEx suffered by way of its TNT Express acquisition. US-based Mondelez candy and the drug giant Merck were also hit hard by the virus. What’s interesting is that none of these firms were intended targets of NotPetya. Rather: they were collateral damage of an attack that experts believe was a Russian-backed campaign designed to disrupt Ukraine’s government and economy.
The moral? Instability in one part of the world (say: the rolling cyber conflict between Russia and Ukraine) can easily spill over national borders in ways that are unpredictable. Maersk’s CEO called his company an “accidental victim” of a nation-state attack. And that’s just about right. The consequence of this is that organizations cannot be too narrowly focused on known threats.
Quality threat intelligence from a reliable provider can help, but you also need to be able to integrate that threat intelligence into your IT operations and information security workflow. An example: NotPetya spread rapidly within corporate networks because it was married to powerful, Windows based exploits known as “Eternal Romance” and “Eternal Blue.” Threat intelligence noting that both nation-state actors and cyber criminal “ransomware” groups were actively leveraging those exploits should have escalated patching and remediation efforts internally. Better patching would have stopped or limited the spread of NotPetya, greatly reducing its operational impact.
Prioritize third party risk
A clear lesson of NotPetya is that third party risk is real and that companies and Boards of Directors need to pay a lot more attention to it.
How so? One of NotPetya’s initial avenues of infection was via a Ukrainian maker of financial software, M.E. Docs. That company, which had been compromised by hackers, unwittingly distributed a signed software update that installed the malware. More than 2,000 firms in Ukraine alone found themselves infected.
Should the presence of an application by a Ukrainian firm on your network raise alarms? Possibly. Especially when coupled with threat intelligence about similar efforts by nation-state actors to infiltrate and disrupt Ukrainian firms. A more holistic approach would merely be to assess the many software and hardware supply chains your firm relies on and the risk and possible consequences of any supply chain attack, then introduce processes that mitigate such risks internally.