Published 17 July 2018

What can we learn from the most devastating cyberattacks of 2017?

For many companies, particularly those in the logistics and utilities sectors, 2017 was a year of reckoning with a new era of cyberthreat. In a year that began with allegations that state-sponsored hacking was used to influence the US Presidential Election, followed hotly by two of history’s most devastating ransomware attacks, WannaCry and NotPetya, scarcely a day went by without cybercrime dominating the headlines.

Logistics companies found themselves thrown unexpectedly into the centre of this new threat landscape following high-profile incidents such as the complete shutdown of A.P. Moller-Maersk’s global shipping operations by the NotPetya ransomware. Maersk, which is responsible for 15% of global container shipping, was forced to shut down all of its communications systems to isolate the ransomware, causing ships to come to a standstill at sea and all operations to halt in 76 ports worldwide, at an estimated cost of up to $300 million. Maersk was far from alone here: in 2017, targets as diverse Deutsche Bahn in Germany, Cadbury’s chocolate factory in Australia and the UK’s National Health Service fell victim to ransomware attacks. Both WannaCry and NotPetya are examples of what have been called Gen V cyberattacks. Unlike many earlier forms of targeted hacks and viruses, Gen V attacks are designed to operate on a huge scale, infecting millions of machines and making themselves very difficult to trace to a single source.

WannaCry

WannaCry, which spread across the world in May 2017, is a piece of ransomware, a type of malware (malicious software), which seeks to extract money directly from its victims. When a system is infected with ransomware, the program immediately goes about encrypting files to prevent users from accessing them. When the encryption is complete the program presents a screen demanding payment of a ransom by a certain deadline, failing which the encrypted files will be permanently destroyed. WannaCry was able to spread between computers using a vulnerability in older versions of windows which was developed by the US National Security Agency, and publicly leaked in April 2017. The ransomware shut down the computing systems of a host of organisations, from Boeing to the UK’s National Health Service (NHS). The impacts of this form of attack can be devastating, particularly to logistics and essential service providers and their customers. The infection of the NHS caused the cancellation of close to 7000 healthcare appointments, sewing chaos through the UK’s healthcare system.

But here’s the craziest part: Microsoft released a patch for the exploit used by WannaCry in March, two months before the malware first appeared. If organisations had kept their software up-to-date, they would have had no vulnerability at all.

The lessons to be learned from WannaCry are not purely technical (keep your software updated!), but also managerial. In order to prevent attacks, and respond to them effectively when they occur, organisations need to have clear guidelines for staff, which establish who is responsible for monitoring and updating IT systems. Confusion over these issues is often what leads to slow responses to vulnerabilities, which can jeopardise sensitive customer data, and potentially cost billions.

NotPetya

Only a month after the WannaCry attacks, an even more dangerous piece of malware emerged: NotPetya. Like WannaCry, NotPetya was ransomware which encrypted all the data on infected computers. The two attacks also used the same Windows exploit, meaning that only those organisations which had failed to take precautions against WannaCry by updating their systems were vulnerable to this new attack. The distinctive aspect of NotPetya is just how destructive it was. The so-called encryption that NotPetya performs on an infected machine’s hard drive so badly mangles the data that it is permanently unrecoverable, even if the victim chooses to pay the ransom.

The attack was centred on the Ukraine, spreading across the world through the M.E.Doc accounting package which most organisations with operations in Ukraine use for their local accounting. It is through this third-party software that Maersk’s system was infected. This reveals another important lesson of the attacks, and one to which logistics companies in particular need to pay attention: you are only as secure as your trusted third-parties. When you rely on an external company or piece of software, you generally provide them with privileged access to your IT system. If the third-party’s system is infected, there is a good chance your company’s will be too. Many companies do not possess a full picture of their third-party dependencies, and as such are unaware of the many possible backdoors through their cybersecurity systems.

The final lesson of NotPetya is a simple one: prepare for the worst. Cyberattacks are a constant feature of the modern digital landscape, and companies can no longer hope that they will be lucky enough not to fall victim. This is the takeaway of Maersk CEO Soren Skou, who says that while nobody can prevent an attack like that occurring again, his priority is to prepare his company to be able to “isolate an attack quicker and restore systems quicker.”

– Jonathan Sharrock, Cyber Citadel.