In this latest extract from the Journal, Control Risks director Carla Liedke details how a single worm targeting the Ukranian government managed to bring numerous multinationals to their knees.
On 27 June 2017, one of the year’s most disruptive cyber attacks began to wreak havoc across Ukraine. ATMs stopped working after several banks, including the National Bank of Ukraine and state savings bank Oschadbank, confirmed they had suffered a cyber attack. Kyiv’s Boryspil Airport experienced gridlock when its computer systems went down. Kyivenergo, the capital’s energy generating company, reported it had to turn off all its computers because of the attack. Scientists monitoring the radiation levels at Chernobyl had to move to manual processes after their computers failed. Government agencies, telecommunications companies, transport operators and businesses across Ukraine were affected.
While Ukraine was the epicentre of the attack, the damage was not confined to one country. The malware known as NotPetya wormed its way through networks across Europe and the globe. A number of large multinationals were significantly affected by the attack, including advertising conglomerate WPP, global shipping firm AP Moller-Maersk, healthcare and pharmaceutical giant Merck, snack food company Mondelez, consumer group Reckitt Benckiser, FedEx division TNT and law firm DLA Piper.
The NotPetya attack masqueraded as ransomware. Infected endpoints displayed a menacing black screen, familiar to anyone who has suffered this type of attack, informing the user that their files had been encrypted and including a demand for payment to a bitcoin wallet. Victims quickly discovered the ransom demands to decrypt files were a false flag designed to misdirect attribution. Leaving them with two options: to rebuild affected systems from backups if available, or to wipe them and start again.
Multinationals brought to their knees
The impact on affected companies was swift. The malware locked down files and systems indiscriminately – front line systems, industrial control systems and back office functions, such as email and finance, were all affected. Many multinationals had to resort to manual processes.
Maersk ran the world’s largest container shipping operation for more than a week using paper processes. Staff at TNT, which is owned by global logistics provider FedEx, were reduced to using manual processes for pick-up, sorting and delivery. Parcels reportedly piled up to the ceiling in TNT depots as staff struggled to work through the backlog.
Merck and Reckitt Benkiser had to halt production of drugs and consumer goods after the malware infiltrated their manufacturing facilities. Merck announced it would be able to maintain continuous supply of life-saving drugs throughout the crisis, but has since been asked to provide evidence to a Congressional committee to help understand cyber threats to the healthcare sector in the US and the potential impacts of these attacks on critical medical supplies.
Companies reported their staff had to be resourceful to deal with significant disruptions to email communications. TNT employees resorted to using WhatsApp internally after their email system went down, and social media platforms such as Facebook and Twitter to communicate with clients. DLA Piper communicated with staff via text messages. Martin Sorrell, CEO of WPP, said their staff went “back to pen and paper” while they were dealing with the disruption.
Some companies were able to restore systems a few days after the attack. Others were back online after a week. But some companies experienced extended delays, leading them to declare to the market in the weeks that followed the attack that they did not know when the issue would be fully resolved. Companies have since disclosed that flow-on effects of the attack on sales, supply chain and invoicing lingered for months. In the worst cases, it was admitted that some information and systems would never be recovered.
Financial impacts of a cyber attack
When Control Risks speaks to clients about the impact of a cyber attack, we identify four broad impacts: financial, reputational, operational and the impact on people. It can be difficult to quantify the losses of cyber attacks because most organisations who fall victim do not publicly discuss the broader impacts.
In the case of the NotPetya attack, a number of listed companies experienced material losses and were compelled to disclose to the market the ongoing effects of this attack. The financial losses were significant. Some multinationals have estimated the attack cost them approximately US$300 million. The losses initially were a result of reduced productivity and lost opportunities, as well as the costs of restoring and installing enhanced systems in the wake of the attack. Most of the organisations hit have also increased investments in additional measures to prevent future attacks.
The loss of business-critical data and systems had secondary effects such as the inability to invoice properly due to missing data. But by far the most significant impact was on reputation. Months after the attack companies such as Maersk, Merck, Reckitt Benkiser and Fedex disclosed that sales continued to be affected. FedEx provisioned significant funds to cover the loss of customers and failure to attract new customers, and incentives to restore confidence and maintain business relationships.
Who was responsible for this destructive attack?
Although attribution of attacks is difficult, Control Risks’ Cyber Threat Intelligence team believes NotPetya was a nation-state campaign masquerading as a criminal attack, likely of Russian origin. That said, many Russian organisations also fell victim to this attack and Moscow has repeatedly denied responsibility.
Russia is believed to have perpetrated a number of cyber attacks on Ukraine over the last two years. In late 2015, Russian special services allegedly attempted to hack Ukraine’s power network by inserting malware on the IT network of regional power companies, leaving hundreds of thousands of residents in the dark. This was the first in a series of attacks against Ukrainian critical national infrastructure in the energy, mining and transport sectors. Control Risks’ Cyber Threat Intelligence team warned clients in early 2017 that Russia and Ukraine are likely to escalate their cyber offensive operations as a result of escalating tensions in Ukraine’s disputed eastern regions of Donetsk and Luhansk.
The goal of the threat actors behind NotPetya appeared to be to destabilise business in Ukraine by releasing malware that spread fast and caused maximum damage. The attack was so damaging because the malware encrypted and locked entire hard drives – rather than individual files – in a way that appeared to be irreversible. It took advantage of an exploit in Microsoft Windows dubbed ‘Eternal Blue’ that had been leaked from the USA’s National Security Agency. Microsoft released a patch for this exploit in March 2017, but many companies were not up to date with their patching regimes, and so were vulnerable to both the WannaCry ransomware attack, which caused global disruption in May, and NotPetya. The initial infection vector was through an update released by Ukrainian accounting software company M.E.Doc, which is used by 80% of Ukrainian companies. M.E.Doc was found to have very lax cybersecurity, which allowed hackers to hijack the update process and embed it with worming malware that then spread laterally across victims’ networks.
Control Risks’ cybersecurity experts believe this attack is a sign of things to come. Nation states such as Russia, North Korea, Iran, the United Kingdom, the USA and others are strengthening their cyber arsenal and it is difficult to imagine any future conflict that does not have an element of cyber warfare. This is bad news for organisations, which will be collateral damage in these skirmishes.
The message for organisations is: if you are not already undertaking a co-ordinated cybersecurity programme across your organisation, you should be, because the chance of having your business disrupted by these types of attacks is increasing every day.
Click here for more from StrategicRISK’s The Journal, in association with Swiss Re Corporate Solutions.