The article chooses not to get into stunning mistakes by Merck's IT that allowed this to happen in the first place. The patches for the EternalBlue exploit were released by Microsoft on March 14, but Merck's IT chose to sit on it for over three months. (Like many large companies, they disable Windows update, choosing to release patches on their own schedule.) Even after the WannaCry attack crippled computers around the world on May 12, they still had a month before NotPetya brought them to their knees on June 27.
In a targeted attack, it's likely the foreign agency would be using a 0-day attack.
The only way to protect against that is by reducing the OS monoculture, offline backups, and using network air gaps on critical data.
But those practices are extremely rare in my experience.
If I was on unfriendly terms with the US, I'd use this as a case study on how to cripple the economy by taking advantage of the large monocultures created by lax IT in a hundred or so of the largest firms.
A targeted attack is also expensive and the victim would need to have something worth this kind of money and attention. "Nation state actor" just isn't a reasonable risk assumption for a great many organizations.
> The only way to protect against that is by reducing the OS monoculture, offline backups, and using network air gaps on critical data.
When the "nation state actor" comes looking for you with some motivation, all that and the air gap won't mean much. See Stuxnet.
Like J. Mickens said: "Basically, you’re either dealing with Mossad or not-Mossad. If your adversary is not-Mossad, then you’ll probably be fine if you pick a good pass-word and don’t respond to emails from ChEaPestPAiNPi11s@virus-basket.biz.ru. If your adversary is the Mossad, YOU’RE GONNA DIE AND THERE’S NOTHING THAT YOU CAN DO ABOUT IT."
Having every machine in the company three months out of date on critical security patches is just negligence. I'm surprised the insurance companies didn't take that tack.
Merck has a new IT Head - joined on Nov 2018. The attack happened on Jun 2017 (i.e., 1.5 years earlier). Jim Scholefield - https://www.linkedin.com/in/jimscholefield/ Great pedigree: Nike, Coca Cola etc.
[Edit]
Seems to be: He will also have oversight of cyber-security – a big issue for the company after a ransomware attack in June 2017 brought the company to a grinding halt. Scholefield will be part of the company’s executive committee, reflecting how integral the digital transformation drive is to the business.
http://www.pmlive.com/pharma_news/merck_and_co_picks_nike_ex...
My favorite memory was a mandatory security training for all employees. They had a couple of slides on how to make a good password, and one recommendation was to use "keyboard encryption". This is a technique to take a bad password like "ClevelandIndians" and shift the keys to the right (or other direction) to get "V;rbr;smfOmfosmd", a supposedly better password. I stood up at the Q&A time and "asked" how this meaningfully improved passwords given that it added at most two bits of entropy. I also responded to the "how was the training" survey with a recommendation to teach people correcthorsebatterystaple-style passwords instead. Colleagues who had been assigned to a later session said that a slide containing the XKCD comic had been inserted into the deck.
However in these situations those systems are siloed and segregated do that things don’t propagate. I have no idea how Merck is setup.
Either IT or this person is grossly incompetent. Beyond patch policies, managing data this way is terrifying.
Obama used covert action against Russia in response to election meddling. "Obama used covert retaliation in response to Russian election meddling." https://www.washingtonpost.com/news/monkey-cage/wp/2017/06/2... Trump is not responding.
Is hybrid warfare a warfare until it includes conventional warfare in the mix?
https://en.wikipedia.org/wiki/Hybrid_warfare
> Hybrid warfare is a military strategy which employs political warfare and blends conventional warfare, irregular warfare and cyberwarfare[1] with other influencing methods, such as fake news,[2] diplomacy, lawfare and foreign electoral intervention.
> The U.S. Army Chief of Staff defined a hybrid threat in 2008 as an adversary that incorporates "diverse and dynamic combinations of conventional, irregular, terrorist and criminal capabilities".[9] The United States Joint Forces Command defines a hybrid threat as, “any adversary that simultaneously and adaptively employs a tailored mix of conventional, irregular, terrorism and criminal means or activities in the operational battle space. Rather than a single entity, a hybrid threat or challenger may be a combination of state and nonstate actors".[9] The U.S. Army defined a hybrid threat in 2011 as "the diverse and dynamic combination of regular forces, irregular forces, criminal elements, or a combination of these forces and elements all unified to achieve mutually benefiting effects".[9] NATO uses the term to describe "adversaries with the ability to simultaneously employ conventional and non-conventional means adaptively in pursuit of their objectives"
* Act of war is poorly defined (and gets more poorly defined by the year). Since insurers use this term and (I assume) wrote the contracts, any reasonable question over its definition should be interpreted in the insured favour. That's how most contract law works since otherwise the contract writer has a perverse incentive to make their contract language unclear and then argue definitions and technicalities. That's not just dishonest, it creates unnecessary uncertainty and excess court cases and those cost everyone.
* I was sort of amazed by mention of the presidents pronouncements as if they mattered. Do they matter legally? They shouldn't: presidents are in no way a reliable source of information on geopolitical matters. Quite the opposite, they have the most motive to lie and its literally often illegal to expose that (if an NSA employee leaked classified proof it was NOT the Russians, they'd be imprisoned under the espionage act). Leaving aside the current presidents reliability, Obama pronounced on the Sony hack, blaming North Korea. Almost 5 years later and no evidence has been produced and plenty of people doubt that. Its also worth noting that no president should be empowered to effectively decide billion (trillion?) dollar lawsuits without oversight or scrutiny, they're not kings after all.
* Finally I thought how adult and reasonable Lloyds' response was. Both in settling the claim (assuming they did so for a reasonable fraction of what was owed) and requiring explicit cyber policies going forwards. That's the act of a group that is reasonable and wishes to take a long term, useful, role in the economy. Any bozo can sell "insurance" policies and then quibble over ever claim, the result is people stop buying. But honouring your commitments and correcting yourself going forwards is exactly what we need in insurers. I wonder what can be done to get US Corporate structures to follow a similar model?
You're telling me that you had never backed up anything in the span of 15 years?
One would need to dig deeper to get a really informed opinion. I do believe Russia to be able and willing to do that, I do believe the so-called "Western intelligence agencies" to blame any malware on Russia or China on the flimsiest evidences.
There is also the possibility that the same tools were used both by the GRU and Russian criminals, leading to a misleading identification. Black hats would totally take someone else's malware and modify it for their purpose while still hiding their tracks.
Zero days are expensive to get but once they are exploits in the wild, they are anyone's to use.
So, even if in the infosec world you can never say never, but just as Stuxnet is generally attributed to Israel/USA, in the same way NotPetya is attributed to Russia, even though none of these countries will ever admit they actually did it.
There are a ton of security experts who have indeed dug deeper, and came to the conclusion that it was Russia.
It’s completely reckless use of malware and there should be consequences for Russia not taking care of their offensive weapons and causing serious damage.
But phrases like “act of war” shouldn’t be thrown around like that. I highly doubt that was Russia’s intention, which I think should matter, even if we still find them at fault.
Oh wait, here we are. Hope your bunker is ready! https://www.zdnet.com/article/in-a-first-israel-responds-to-...
This stuff is fundamentally different than the case where a group of people end up with guns and engage in politically motivated violence. It is really a form of advanced trolling. The fact that absolutely anyone can do with with no fear for their life or freedom makes it politically meaningless.
There is no such thing as cyberwar...
So insurance is really just about insuring against security lapses. It should be priced appropriately and should come with requirements.
This is the very definition of an accident, if the article is to be believed, with Merck not even being the target. Pay up insurers, this is why you exist.
Further, what is the point of insurance, especially for sensitive IP laden companies like pharma research, if there's no protection against nationa-state attacks, which isn't outside the realm of possibility for such companies.
If North Korea drops a nuclear bomb on China, and the nuclear cloud does collateral damage in India, that's still damage from an act of war.
Acts of war are excluded since insurance is designed to spread cost for isolated events. If my house burns down, everyone chips in to rebuild it. You can't reasonably insure widespread events. If an entire country is demolished, whether by war, flood, or other large-scale natural disaster, insurance would just go under.
Things are murky here. But not for those reasons. We can start with there not being a war, continue into covert ops not really being the same as war, and keep going for a while. I do think insurance SHOULD pay for this one. But it's not that simple.
But dropping a bomb on a facility in Ukraine, with equally destructive shrapnel destroying facilities all over the world? Knowing that using this weapon can easily cause such collateral damage?
We barely have the terminology for discussing this type of warfare. The initial attack was an act of war, certainly. Beyond that, we have to come up with definitions and reactions. At the very least, it’s a subject for diplomatic channels, maybe even sanctions.
It is interesting though to think about aftermath. If it is not an act of war, one can compromise a country's economy without going directly against the country itself.
An appropriate response needs to arise from a cooperative authority like the UN or Interpol, and needs a policy suited to address future events before they arise.
The US does this all the time and it is not labeled an act of war. The most famous incident is the Al-Shifa medical facility, but this is common practice in the "war on terror."
Suppose North Korea shoots artillery on Samsung factories. Is that not an act of war because they were targeting a company's buildings?
The US has some mixed messaging on cracking. On the one hand they reserve the right to consider attacks on them as acts of war (and to respond with bombs) on the other hand they have no reservations about cracking others (e.g. Iran).
How is something deliberately planned and executed, by a military intelligence agency, for weeks or months, an accident?
And how are you so sure Merck's IT team didn't fail to have backups, redundancy, security patches, etc. to prevent an attack of any sort from being such a big deal?
If the insurance claim is ~$1.3bn, we can safely say that the NotPetya cleanup isn't a trivial thing for them.
How many companies have we heard about who were totally screwed after a ransomware outbreak, because their only backups were online - network connected? Does anybody have offline backups anymore?
Is corporate IT negligent where it appears to have no disaster recovery plan?
Its an insurance policy...an act of war is a limitation on coverage.
No one is saying an act of war was specifically committed against Merck. Merck was damaged, filed a claim with its insurance and the insurer denied coverage because the damage was the result of an act of war (that has nothing to do with Merck being a county or the attack being directed at Merck).
Can we stop calling these things "cyber attacks" or "hacks"? I think "gross negligence on applying even basic information security" and "a focus on security theatrics" fit much better.
$1.7B? They should be able to destroy and rebuild their entire infrastructure in less than a day.
Have tested backup and restore processes. Ideally have all users in VMs.
I don't see how this isn't entirely Merck's fault.
There's also something to be said for being the first large-scale victim of a category of catastrophe that is known to be a real threat, but hasn't happened on this scale before.
But you do have a point. There were probably security or IT ops people who warned about this, and if Merck's shareholders take the full hit, organizations will properly feel the risk and adjust their backup & restore processes accordingly. Not so if insurance pays the full damages.
All of us who are working in software and hardware are in a way to blame for this disaster and until everything is rebuilt from the ground up computing will depend on the worldwide cooperation of benevolent actors.
Whether insurers like AIG can run away from their contractual obligations playing the "cyber war" card is a different issue. Technically, it was a cyberattack similar to many others, no matter if the authors were Kremlin-employed or not.
Consider something like Stuxnet, it took years before it was truly discovered and attribution could be made, at least in way which would hold up in a lawsuit about insurance claims.
This is a commercial extortion attempt, not an act of war. The insurers, as is their wont don't want to pay out.
