That’s what 2,000 companies in 64 countries learned in June of 2017. They were not the targets, but they did lose billions of dollars of data, hardware, software, and business. Those companies are still tracking losses into 2018.
But they weren’t targeted.
They were the unfortunate “side effect” of the “NotPetya” malware. Many officials and cybersecurity experts believe NotPetya was designed by Russia to attack computers in Ukraine, but it wound up destroying thousands of desktops, laptops, servers, and other equipment—in Ukraine, yes, but also all around the world at corporations like Fed Ex, Maersk, Merck, and many others.
That’s not hyperbole. That’s the only purpose of a cyber-munition: destruction.
If your main concern is protecting against hackers who are specifically targeting your organization, you need to change the way you’re thinking about cybersecurity.
A leading software provider was one of the organizations hit by NotPetya. The company has been sharing its story in hopes of helping other organizations avoid the type of losses it and others suffered in 2017.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Though this attack was widely publicized, it’s still news to many people that some cyberattacks are designed with the sole purpose of destruction.
That was the case when ransom screens started popping up around the world at the end of June 2017. But the ransomware screen was a ruse, a wild goose chase that cost IT teams valuable time while the virus was multiplying, traveling, finding ways to circumvent blocked paths, and irretrievably overwriting and destroying everything.
No data was stolen.
That was the good news. Very good news. No customer, or business data was extracted in the attack.
Because that wasn’t what the malware was built to do.
The bad news is that what the malware was built to do is also very, very disruptive and expensive.
The worse news is that all it takes is one infected computer on a network.
“That’s why I talk about the violence of a cyberattack that most people don’t understand, even some people who are in IT security,” says Sensato CEO John Gomez. “Most people think, ‘they’re going to steal my data.’ We’re in a world now where there are cyber munitions, and this is an example of somebody launching a cyber munition where it just completely destroyed everything it could access.”
Now, ask yourself: what if that malware infected one of the computers on your network, and, as it was designed to do, then infected and destroyed everything else that it could find and attack? Every computer. Every laptop. Every tablet. Every pacemaker. Every insulin pump. Every patient monitoring unit. Every single device that connects with your network.
You don’t have to guess what such an attack might cost your organization in down time, equipment replacement, and customer reparations. That leading software provider can tell you. So can FedEx and all the others.
But let’s get into just a few of the gory details, with the help of the software company, so you can understand the true impact of a type of cyberattack that you might never have expected to hit your organization.
The malware attacked active directories, shutting administrators out of the system, taking down corporate email, the intranet, application servers, and other internal systems. Almost every Windows device on the network, throughout many of Company X’s was impacted.
“We believe that NotPetya actually had some AI (artificial intelligence) and machine learning built into it, because it appeared to be learning on the fly. For example, if a transfer protocol was blocked, it figured out other, faster protocols to transfer itself,” says a spokesperson from the software provider.
“The one saving grace was that the virus put up a reboot command. Once rebooted, it attacked the boot files, turning the device into a brick. On our servers, it deleted what was accessible on the C drive, but it was waiting for someone to reboot so that it could delete the reboot sector and other drives. Since there was no human there to press enter, it never reached the boot sector or our D drives, where our customer data was stored,” he says.
Despite that silver lining, the company had a procurement nightmare on its hands. The company had to find all of the requisite hardware to rebuild 12,000 to 15,000 machines and completely replace 700 to 1,000 laptops and hundreds of servers and networking equipment.
And it began its recovery over a holiday weekend. “No one has hundreds and hundreds of backup supplies on hand, but we were lucky in that our partners really felt our pain and they stood by us,” says the spokesperson. “We needed servers overnight on a holiday weekend and Dell ordered chip sets shipped from China for us and even opened some factories to advance our orders.”
Even with the help of its partners, though, procurement and rebuilding was an enormous struggle. “We worked around the clock; didn’t spare any expense on consulting, hardware, software, whatever it took to get our systems up and running,” says the spokesperson. “We had to touch every machine, bring it up in a Linux mode, recover data from the D drives, and then rebuild the machine from scratch. That’s what we had to do for all 12,000 to 15,000 machines.”
In the meantime, the software company provided alternative platforms, applications, and other solutions free of cost to all of its customers that had been impacted by the attack, bringing them up to at least a minimal product capability while full system capabilities were being restored.
But remember, this company is not a healthcare organization. There was no risk that the virus would interfere with the operation of medical devices. The same can’t be said of most healthcare organizations, whose wide array of connected devices are often outdated beyond patches or updates.
“Imagine you’re a hospital and you get hit by cyber munitions and you’ve lost confidence in your medical devices because of the damage done by the attack,” says Gomez. “Now, you suddenly have to replace thousands of devices. How do you do that? Do you even have a contingency plan for that?”
As Gomez notes, “You could be in a situation where you’ve got six months to a year before manufacturers can replace every device. If this includes life support systems, for example, you’re going to either have to transfer patients to other hospitals, or you may get other hospitals to lend you equipment for a short period of time; but there’s not usually pre-existing agreements in place for anything like that, so the havoc it would cause would be devastating.”
The software provider and the others that survived the NotPetya attack now have one advantage over other organizations: they have a better idea of how to protect themselves. Of necessity, they have already put new systems and practices into place.
“Our security wasn’t weak,” notes the software company spokesperson. “What we had to do was redouble all of our postures in terms of network, virtual, physical, and system protections. We enhanced segregation, increased scanning and testing, added more backups, a second anti-virus system. We have an agent on every machine that monitors and can shut it down automatically if suspicious activity is detected, so that it can’t spread the way the NotPetya malware did. And every machine that’s going to be on our network has to pass a security audit.”
The cost of preparing and protecting is often the stumbling block for IT security teams, even at healthcare organizations that must meet HIPAA, HIMSS, and other regulatory requirements for protecting patient data.
But Gomez points to the experience of the software company, Fed Ex, and others, who lost so many billions in a “side effect” attack. “Ask yourself what would happen if such a virus got into your systems,” he says. “The cost of setting up proper cybersecurity is a fraction of what you could lose in such a scenario.”
