Merck’s NotPetya attack: Was it an act of war?(inquirer.com) |
Merck’s NotPetya attack: Was it an act of war?(inquirer.com) |
The article chooses not to get into stunning mistakes by Merck's IT that allowed this to happen in the first place. The patches for the EternalBlue exploit were released by Microsoft on March 14, but Merck's IT chose to sit on it for over three months. (Like many large companies, they disable Windows update, choosing to release patches on their own schedule.) Even after the WannaCry attack crippled computers around the world on May 12, they still had a month before NotPetya brought them to their knees on June 27.
In a targeted attack, it's likely the foreign agency would be using a 0-day attack.
The only way to protect against that is by reducing the OS monoculture, offline backups, and using network air gaps on critical data.
But those practices are extremely rare in my experience.
If I was on unfriendly terms with the US, I'd use this as a case study on how to cripple the economy by taking advantage of the large monocultures created by lax IT in a hundred or so of the largest firms.
A targeted attack is also expensive and the victim would need to have something worth this kind of money and attention. "Nation state actor" just isn't a reasonable risk assumption for a great many organizations.
> The only way to protect against that is by reducing the OS monoculture, offline backups, and using network air gaps on critical data.
When the "nation state actor" comes looking for you with some motivation, all that and the air gap won't mean much. See Stuxnet.
Like J. Mickens said: "Basically, you’re either dealing with Mossad or not-Mossad. If your adversary is not-Mossad, then you’ll probably be fine if you pick a good pass-word and don’t respond to emails from ChEaPestPAiNPi11s@virus-basket.biz.ru. If your adversary is the Mossad, YOU’RE GONNA DIE AND THERE’S NOTHING THAT YOU CAN DO ABOUT IT."
Having every machine in the company three months out of date on critical security patches is just negligence. I'm surprised the insurance companies didn't take that tack.
Merck has a new IT Head - joined on Nov 2018. The attack happened on Jun 2017 (i.e., 1.5 years earlier). Jim Scholefield - https://www.linkedin.com/in/jimscholefield/ Great pedigree: Nike, Coca Cola etc.
[Edit]
Seems to be: He will also have oversight of cyber-security – a big issue for the company after a ransomware attack in June 2017 brought the company to a grinding halt. Scholefield will be part of the company’s executive committee, reflecting how integral the digital transformation drive is to the business.
http://www.pmlive.com/pharma_news/merck_and_co_picks_nike_ex...
My favorite memory was a mandatory security training for all employees. They had a couple of slides on how to make a good password, and one recommendation was to use "keyboard encryption". This is a technique to take a bad password like "ClevelandIndians" and shift the keys to the right (or other direction) to get "V;rbr;smfOmfosmd", a supposedly better password. I stood up at the Q&A time and "asked" how this meaningfully improved passwords given that it added at most two bits of entropy. I also responded to the "how was the training" survey with a recommendation to teach people correcthorsebatterystaple-style passwords instead. Colleagues who had been assigned to a later session said that a slide containing the XKCD comic had been inserted into the deck.
However in these situations those systems are siloed and segregated do that things don’t propagate. I have no idea how Merck is setup.
Either IT or this person is grossly incompetent. Beyond patch policies, managing data this way is terrifying.
Obama used covert action against Russia in response to election meddling. "Obama used covert retaliation in response to Russian election meddling." https://www.washingtonpost.com/news/monkey-cage/wp/2017/06/2... Trump is not responding.
Is hybrid warfare a warfare until it includes conventional warfare in the mix?
https://en.wikipedia.org/wiki/Hybrid_warfare
> Hybrid warfare is a military strategy which employs political warfare and blends conventional warfare, irregular warfare and cyberwarfare[1] with other influencing methods, such as fake news,[2] diplomacy, lawfare and foreign electoral intervention.
> The U.S. Army Chief of Staff defined a hybrid threat in 2008 as an adversary that incorporates "diverse and dynamic combinations of conventional, irregular, terrorist and criminal capabilities".[9] The United States Joint Forces Command defines a hybrid threat as, “any adversary that simultaneously and adaptively employs a tailored mix of conventional, irregular, terrorism and criminal means or activities in the operational battle space. Rather than a single entity, a hybrid threat or challenger may be a combination of state and nonstate actors".[9] The U.S. Army defined a hybrid threat in 2011 as "the diverse and dynamic combination of regular forces, irregular forces, criminal elements, or a combination of these forces and elements all unified to achieve mutually benefiting effects".[9] NATO uses the term to describe "adversaries with the ability to simultaneously employ conventional and non-conventional means adaptively in pursuit of their objectives"
* Act of war is poorly defined (and gets more poorly defined by the year). Since insurers use this term and (I assume) wrote the contracts, any reasonable question over its definition should be interpreted in the insured favour. That's how most contract law works since otherwise the contract writer has a perverse incentive to make their contract language unclear and then argue definitions and technicalities. That's not just dishonest, it creates unnecessary uncertainty and excess court cases and those cost everyone.
* I was sort of amazed by mention of the presidents pronouncements as if they mattered. Do they matter legally? They shouldn't: presidents are in no way a reliable source of information on geopolitical matters. Quite the opposite, they have the most motive to lie and its literally often illegal to expose that (if an NSA employee leaked classified proof it was NOT the Russians, they'd be imprisoned under the espionage act). Leaving aside the current presidents reliability, Obama pronounced on the Sony hack, blaming North Korea. Almost 5 years later and no evidence has been produced and plenty of people doubt that. Its also worth noting that no president should be empowered to effectively decide billion (trillion?) dollar lawsuits without oversight or scrutiny, they're not kings after all.
* Finally I thought how adult and reasonable Lloyds' response was. Both in settling the claim (assuming they did so for a reasonable fraction of what was owed) and requiring explicit cyber policies going forwards. That's the act of a group that is reasonable and wishes to take a long term, useful, role in the economy. Any bozo can sell "insurance" policies and then quibble over ever claim, the result is people stop buying. But honouring your commitments and correcting yourself going forwards is exactly what we need in insurers. I wonder what can be done to get US Corporate structures to follow a similar model?
You're telling me that you had never backed up anything in the span of 15 years?
One would need to dig deeper to get a really informed opinion. I do believe Russia to be able and willing to do that, I do believe the so-called "Western intelligence agencies" to blame any malware on Russia or China on the flimsiest evidences.
There is also the possibility that the same tools were used both by the GRU and Russian criminals, leading to a misleading identification. Black hats would totally take someone else's malware and modify it for their purpose while still hiding their tracks.
Zero days are expensive to get but once they are exploits in the wild, they are anyone's to use.
So, even if in the infosec world you can never say never, but just as Stuxnet is generally attributed to Israel/USA, in the same way NotPetya is attributed to Russia, even though none of these countries will ever admit they actually did it.
There are a ton of security experts who have indeed dug deeper, and came to the conclusion that it was Russia.
It’s completely reckless use of malware and there should be consequences for Russia not taking care of their offensive weapons and causing serious damage.
But phrases like “act of war” shouldn’t be thrown around like that. I highly doubt that was Russia’s intention, which I think should matter, even if we still find them at fault.
Oh wait, here we are. Hope your bunker is ready! https://www.zdnet.com/article/in-a-first-israel-responds-to-...
This stuff is fundamentally different than the case where a group of people end up with guns and engage in politically motivated violence. It is really a form of advanced trolling. The fact that absolutely anyone can do with with no fear for their life or freedom makes it politically meaningless.
There is no such thing as cyberwar...
So insurance is really just about insuring against security lapses. It should be priced appropriately and should come with requirements.
This is the very definition of an accident, if the article is to be believed, with Merck not even being the target. Pay up insurers, this is why you exist.
Further, what is the point of insurance, especially for sensitive IP laden companies like pharma research, if there's no protection against nationa-state attacks, which isn't outside the realm of possibility for such companies.
Can we stop calling these things "cyber attacks" or "hacks"? I think "gross negligence on applying even basic information security" and "a focus on security theatrics" fit much better.
$1.7B? They should be able to destroy and rebuild their entire infrastructure in less than a day.
Have tested backup and restore processes. Ideally have all users in VMs.
I don't see how this isn't entirely Merck's fault.
There's also something to be said for being the first large-scale victim of a category of catastrophe that is known to be a real threat, but hasn't happened on this scale before.
But you do have a point. There were probably security or IT ops people who warned about this, and if Merck's shareholders take the full hit, organizations will properly feel the risk and adjust their backup & restore processes accordingly. Not so if insurance pays the full damages.
All of us who are working in software and hardware are in a way to blame for this disaster and until everything is rebuilt from the ground up computing will depend on the worldwide cooperation of benevolent actors.
Whether insurers like AIG can run away from their contractual obligations playing the "cyber war" card is a different issue. Technically, it was a cyberattack similar to many others, no matter if the authors were Kremlin-employed or not.
Consider something like Stuxnet, it took years before it was truly discovered and attribution could be made, at least in way which would hold up in a lawsuit about insurance claims.
This is a commercial extortion attempt, not an act of war. The insurers, as is their wont don't want to pay out.
If North Korea drops a nuclear bomb on China, and the nuclear cloud does collateral damage in India, that's still damage from an act of war.
Acts of war are excluded since insurance is designed to spread cost for isolated events. If my house burns down, everyone chips in to rebuild it. You can't reasonably insure widespread events. If an entire country is demolished, whether by war, flood, or other large-scale natural disaster, insurance would just go under.
Things are murky here. But not for those reasons. We can start with there not being a war, continue into covert ops not really being the same as war, and keep going for a while. I do think insurance SHOULD pay for this one. But it's not that simple.
But dropping a bomb on a facility in Ukraine, with equally destructive shrapnel destroying facilities all over the world? Knowing that using this weapon can easily cause such collateral damage?
We barely have the terminology for discussing this type of warfare. The initial attack was an act of war, certainly. Beyond that, we have to come up with definitions and reactions. At the very least, it’s a subject for diplomatic channels, maybe even sanctions.
It is interesting though to think about aftermath. If it is not an act of war, one can compromise a country's economy without going directly against the country itself.
An appropriate response needs to arise from a cooperative authority like the UN or Interpol, and needs a policy suited to address future events before they arise.
The US does this all the time and it is not labeled an act of war. The most famous incident is the Al-Shifa medical facility, but this is common practice in the "war on terror."
Suppose North Korea shoots artillery on Samsung factories. Is that not an act of war because they were targeting a company's buildings?
The US has some mixed messaging on cracking. On the one hand they reserve the right to consider attacks on them as acts of war (and to respond with bombs) on the other hand they have no reservations about cracking others (e.g. Iran).
How is something deliberately planned and executed, by a military intelligence agency, for weeks or months, an accident?
And how are you so sure Merck's IT team didn't fail to have backups, redundancy, security patches, etc. to prevent an attack of any sort from being such a big deal?
If the insurance claim is ~$1.3bn, we can safely say that the NotPetya cleanup isn't a trivial thing for them.
How many companies have we heard about who were totally screwed after a ransomware outbreak, because their only backups were online - network connected? Does anybody have offline backups anymore?
Is corporate IT negligent where it appears to have no disaster recovery plan?
Its an insurance policy...an act of war is a limitation on coverage.
No one is saying an act of war was specifically committed against Merck. Merck was damaged, filed a claim with its insurance and the insurer denied coverage because the damage was the result of an act of war (that has nothing to do with Merck being a county or the attack being directed at Merck).
I’ve seen enough issues this year with Azure and multi-factor sso being down. It makes me weary of Microsoft’s updates. Lots of customers screaming because they can’t access our portals.
Sometimes your vendors have to wait for Microsoft to fix something they broke which complicates it even more.
I have seen US TLAs blame China on really laughable evidences (and fail to do it properly on the one undeniable attack they did on GitHub)
Insurance policies have often tried to exclude the highly-unlikely-but-ruiniously-costly coverage; hence the similar "acts of god" exclusions (and obvs there's rarely any disagreement about whether god was specifically the actor). A war is a usually a large-scale event causing a large amount of damage; without excluding it you would expect many insurers to be bankrupted. "Cyberwar" is something of a different matter and I could see why either side would want to litigate to clarify the definition.
I don't think that is right. You don't decide to be a criminal, you decide to perform an action, you get labelled then by others.
Some people want to destroy big businesses, they can possibly make as much money as they need already.
Of course you can make money through a side-channel that's less traceable too.
Note that it could make sense to a pro-Russia Ukranian group to extort money abroad and to hurt economically on the target. That seems to be the Russian MO to not be directly implicated in the Ukrainian operations: help with tools, weapons and money the groups that are already in place.
They give up direct control over the actions in exchange of deniability.
So it was targeted at the Ukraine, but plenty of multinational companies also operate there, so they were collateral damage
Are you saying those are better than the 'keyboard encryption'? Because they're not, every password cracker has functionality to string dictionary words together in various permutations.
The idea of "correcthorsebatterystaple-style" passwords is to randomly choose 4 words from a pool of about 2000 words. That gives about 11 bits of entropy per word, for a total of 44 bits.
With a 2-word "keyboard encryption", even if you choose the two words the same way, you only get 24 bits of entropy: 22 bits for the words plus 2 more bits for the choice of which direction to shift (up/down/left/right = 4 options = 2 bits).
Dictionary has a lot of words. Even if you knew I chose 4 of them, gonna take you a little bit of time to get through those combos.
Arguably, yes. Merck isn't a small time start-up. They've been on the Fortune 500 list for 60+ years. They can afford whatever layers of backup and redundancy they need.
> Does anybody have offline backups anymore?
Previous gigs, for large ISPs and related orgs, did. This was on a team-by-team basis, though.
[1] https://www.nsa.gov/Portals/70/documents/what-we-do/cybersec...
[2] https://www.cyber.gov.au/publications/essential-eight-explai...
Don't discount the insurers just yet. The act of war exclusion is likely preferable for the insurers because it would seem to broadly cover the entire incident and because it really doesn't require a whole lot of detailed discovery into Merck's internal processes. But if that fails, then the insurers will, most likely, once again try to deny the claim, this time focusing on the details of the cybersecurity-based policy exclusions.
My guess, with no evidence to back it up, is that the policy is very detailed and specific, and upon investigating its application, the insurers will reveal a lack of proper defense and mitigation processes by Merck, just as you describe.
I will put it another way. I feel quite confident the 9/11 bombers did not know, or specifically target, my friends and acquaintances who died in those towers. Therefore, are you going to claim 9-11 was an accident?
If I intend to rob a convenience store, and in the process of doing so, my gun goes off and the clerk is shot and killed, was it just an accident?
9/11 was presumably intended to damage as much property and kill as many people as possible. So no, the people who died as a result of that terrorist attack against the US were not killed by accident.
Yes, if your gun accidentally goes off during a robbery, that is by definition an accident. An accident that could have been avoided if different choices had been made, but still an accident.
If the intended target in this case was the Ukraine, and companies in the USA suffered immense damages it's reasonable to ask if those unintended consequences were accidental. Similar to how a bomb dropped on an Italian border in WWII might accidentally kill ally French citizens on the other side of the border. With cyber warfare it becomes much more interesting, because those accidents don't respect physical distance.
A guy drinks two quarts of whisky at his favorite bar then drives home. On the way in his drunken state he runs a red light, smashes into a school bus and kills a 9 year old he never met named Mikey. Whoops, sorry Mikey's mom and dad, it was just an accident! Because Tchaffee says so.
I kind of feel, and I'm not going to pretend I'm an expert, that digital warfare should be treated closer to biological warfare than just your typical bombs and bullets kind. Generally, and holy shit I know someone is going to flip their shit for me saying this, but generally a regular bomb (not nuke) is an acute type of problem. After it goes off, it's GENERALLY harmless after that. Yes, structure collapse, contamination, gas leaks and other after effects. But not really more booms from the bomb. Weaponized ebloa can still make more people sick, not affected by the original release. Same with NotPetya and other cyber attacks. After deployed, it can affect more and more targets as time goes on.
I would counter that you don't need to violate all of the US's defense to bomb Hawaii and we all know how that was received. So yes, a state sending assets to go destroy some other state's property within the borders of said state is generally considered an act of war. That said, details matter a lot and these situations are basically handled on a case by case basis.
E.g. I’d argue that if China announced it would not repay its massive Treasury debts to the US, that would basically be an act of war even if no aggression was used, just due to the extreme destructive effects. And the reaction would be similarly upsetting, although not quite on the level of an unprovoked, large-scale military action.
But it quickly becomes a discussion of semantics at that point ;)
What may be the source of confusion is that the Geneva convention requires wearing uniforms... to get the protections afforded by Geneva convention. If your troops violate that requirement, then that means that if they're captured without uniforms, the enemy is free to not fulfil the prisoner of war treatment required by Geneva conventions, but summarily execute all of them as spies; which was also often the practical consequence in WW2 if such troops were cought. A parricular example may be the trial after WW2 of Otto Scorzeny and other officers for Nazi troops wearing USA uniforms during Operation Greif in Battle of Bulge, where they were acquitted on the claimed charges of war crimes because these actions were considered by the court as 'legitimate ruse of war'.
If I recall correctly, masquerading as Red Cross could be a war crime, there are specific provisions for that, but the international treaties do not prohibit to masquerade as civilians or enemy troops, or to perform all kinds of other misinformation.
For most members in most militaries, it's a legal requirement set by their command to wear uniforms - but it's a requirement that the commanders can alter if they deem it necessary.
[0] https://ihl-databases.icrc.org/ihl/WebART/470-750111 (paragraph 3.f)
If it done by state military agency, then it's act of war.
If it done by civilians without support of and not directed by state, then it's terrorism.
If it done by civilians, with support of or directed by state, then it's state sponsored terrorism, a war crime.
There is no excuse for not wearing of uniform for warriors at their own country.
Dec. 2: https://www.oregonlive.com/crime/2019/12/drunk-driver-who-ki...
Nov 14: https://www.inquirer.com/news/david-strowhouer-sentence-dui-...
Nov 8: https://eccalifornian.com/drunk-driver-given-second-degree-m...
Nov 15: https://www.pressconnects.com/story/news/public-safety/2019/...
first-degree manslaughter, third-degree murder, second-degree murder, first-degree vehicular manslaughter
"Involuntary" isn't in any of these. And these are just the first few search results.
"DUI manslaughter charges are more common than DUI murder charges. Simply put, an intoxicated driver is arrested after causing an accident that resulted in the death of another person. The driver did not intend to cause the death, but it happened as a result of drunk driving."
https://dui.findlaw.com/dui-charges/dui-manslaughter-and-dui...
It would be child's play for anyone at this point to use a search engine to dig up loads of examples of people convicted for involuntary manslaughter as a result of killing someone while drunk driving.
"On an Italian border." Where else could the blast possibly go, except on both sides of the border?
The flaw in your logic this whole time is your insistence that anything unintended = accident. Things can be unintended but also not an accident. All the previous examples. Involuntary manslaughter laws tend to use the word "unintentional" but not "accidental." How about the Free Solo guy -- certainly he didn't intend to die, but had he slipped and fell, when the whole point of the climb was to do it without any safety equipment, it couldn't be classified as an accident. Car "accidents" are rarely accidents -- in most cases, one party failed to follow a safety signal or violated some rule. And yes, if you deliberately drop a bomb near a border, you can't claim the allies you killed on the other side were accidental. Collateral damage, yes, accidental, no.
If you cannot see that, or that it isn't "accidental" when a serial drunk driver kills someone, or a gun getting fired during a robbery also isn't accidental -- or when a government unleashes a computer virus that it knows will likely affect hundreds/thousands of computers owned by people or companies it doesn't care about -- well, you're maintaining a position about which few people would agree.
> you didn't qualify with "usually" or "often"
You're being pedantic. It is called involuntary manslaughter. And it's most often called that. And sometimes it is called other things. There is nothing false about my statement.
> same as if you had said "prime numbers are odd."
Not really. Same as if I had said "ALL prime number are odd". Which I did not say. "Prime number are odd" is a true statement. So is "prime numbers are even".
> The flaw in your logic this whole time is your insistence that anything unintended = accident
I never claimed that everything unintended is an "just" an accident, but at this point you are just being pedantic. Your original claim was that something deliberately planned cannot result in accidents. That if something is planned, then the outcome itself must have also been planned. That's the flaw in your logic.
If the Russian government intended to attack Ukraine and a US company was unintentionally damaged, then no, that result was not planned.
In your original comment you claimed "knowing full well there would be plenty of collateral damage". Do you have proof that they knew there would be collateral damage? Do you have proof that they took no steps to try to contain the damage to Ukraine but they simply got it wrong?
> it isn't "accidental" when a serial drunk driver kills someone
How did the drunk driver all of a sudden become a serial drunk driver?
> a government unleashes a computer virus that it knows will likely affect hundreds/thousands of computers
Where is your evidence that they knew this?
> you're maintaining a position about which few people would agree.
So what? Does majority consensus determine logical consistency? And I'll claim the same thing: you are the one who is maintaining a position about which few people would agree. It's that easy.
It was intentional even if Merck wasn't targeted. Negligence and accident aren't magic words to hide behind if your initial goal is to cause harm in the first place. Stuxnet at least had a bunch of parameters and was highly specialized so it only deploy on its intended target with little to no chance of opening up its payload on an unintended target. I'm not going to argue whether or not Stuxnet was morally in the right. But, it sure as shit proves there is a format of trying to make sure unintended targets don't get harmed in the process of widespread release of cyber warfare.