Conditions are Right for a Cyber Attack Like We Have Never Seen Before

Global geopolitical and economic conditions are ripe for an unprecedented and devastating cyber attack. Too doomsday? Possibly, but one thing is undeniably clear—the combination of microchip supply chain issues and the emergence of numerous pieces of destructive malware has created a perfect storm. These are ideal conditions for the kind of cyber attack that could cause a victim to go offline not just for days but potentially weeks. Let’s set the stage…

The Cyber Impact of the Conflict in Ukraine and Beyond—A Disturbing New Trend

In the days and weeks following Russia’s military initial 2022 offensive into Ukraine, cyber security researchers focused on potential retaliatory cyber attacks against Western entities and businesses by the Russian Government as a response to Western sanctions.¹ So far, no governmental entities or cyber security researches have openly reported that those retaliatory attacks have come to fruition, but a much more insidious landscape has begun to form — one where nation states have released multiple pieces of highly destructive malware masquerading as ransomware.²

In April 2022, Microsoft released an in-depth report, “detailing the relentless and destructive Russian cyberattacks we’ve observed in a hybrid war against Ukraine.” Microsoft went on to describe how, for the first time in history, the world observed a conflict where Russia’s “use of cyberattacks appears to be strongly correlated and sometimes directly timed with its kinetic military operations targeting services and institutions crucial for civilians.”

Further, in the weeks leading up to and months following the invasion, multiple cyber security researchers went on to identify seven new pieces of highly destructive malware attributed or highly suspected of being attributed to Russian nation state advanced persistent threats. Every new piece of malware is destructive, either masquerading as ransomware or working in conjunction to deploy ransomware alongside a destructive malware. Either way, these pieces of malware can be devastating, with the intent to leave infected devices inoperable.³

Unfortunately, Russia was not the only nation state to release this type of destructive malware. In mid-July 2022, a cyber attack against the Albanian government, a NATO member, halted state websites and public services. The cyber security company, Mandiant, released a report of the attack detailing a new ransomware family named ROADSWEEP that the company attributed to Iranian actors.

The report detailed the attack’s use of ROADSWEEP alongside a previously unknown backdoor called CHIMNEYSWEEP and a new variant of the wiper malware named ZEROCLEAR.⁴ Further, the attack occurred just before the “World Summit of Free Iran,” a conference scheduled for July 23-24 in Albania and affiliated with a well-known opposition group to the Iranian Government.

The attack caused the postponement of the conference.⁵ On Sept. 7, 2022, the Albanian Government and U.S. Government attributed the attack to the Iranian Government, and Albania severed all diplomatic ties, ordering all Iranian diplomats to leave the county within 24 hours.^6,7 This is one of the most severe responses to a nation-state cyber attack in history.

What does that mean for private industry?

If history tends to repeat itself, one name comes to mind—NotPetya. NotPetya was a piece of destructive malware that, according to the U.S. Department of Justice, Russia used against Ukraine in 2017.⁸ While there is a significant malware family backstory and timeline that led to NotPetya, the results were undeniable– NotPetya went on to do more than $10 billion in revenue damages worldwide.^9,10

If NotPetya is an example of what one piece of destructive, nation-state malware can do, what will the eight novel pieces of malware resulting from Iran and Russia do to industry worldwide this time? While NotPetya had unique qualities that allowed it to replicate and infect at a high rate, these new pieces of malware each have unique deployment and infection vectors that security professionals must track and mitigate.

Equally, much like NotPetya, there is no guarantee that these sophisticated, very dangerous pieces of malware will stay contained to the geographical regions of their intended nation-state targets. Rather, it is highly likely that, much like NotPetya, these pieces of malware will be obtained and modified by other nation states, criminal hacking groups, and various malicious actors to create new variants for nefarious, profitable gain. Ransomware is a booming business. As companies improve their security posture and data protection methods, criminal groups continually look for proverbial bigger sticks to carry to coerce companies into paying ransoms.

It is not out of the realm of possibility that bad actors could use variants of these destructive pieces of malware to launch two-phase attacks. The first phase would appear as ransomware, giving the victim time to pay the ransom. Should the victim choose not to pay the ransom, the threat actor could then launch the second phase of the attack, the destructive phase that renders every infected device inoperable.

“But we cut all network connectivity as soon as ransomware is detected! They will not be able to send command functions for the destructive malware to execute,” a potential victim might say. While theoretically that could protect a potential victim, pragmatically it is not out of the realm of possibility that a malicious actor could have tweaked the destructive malware to automatically launch the second-phase destructive attack if the ransom is not paid within a certain time.

This method would bypass the need for network connectivity and make the attack not just a data loss but a loss of physical property, greatly extending a victim’s downtime and delaying a return to normal business operations.

But we can just buy more devices, right? Maybe…

Global microchip manufacturing suffered significantly during the COVID-19 pandemic. Demand for devices using microchips soared during the pandemic while COVID lockdowns, shipping issues, and other incidents disrupted the supply chain around the world. Nearly everything with a power cord uses a microchip, and the world has experienced disruption in just about every industry.

While many companies have supply chain redundancies to ease constraints, even the most prepared companies couldn’t escape inventory and manufacturing delays.¹¹ The shortage worsened immensely with the conflict in Ukraine. Microchips require specific lasers for their manufacturing, and one of the materials critical to operating those lasers is semiconductor-grade neon.

Two Ukrainian companies supplied approximately half of the world’s semiconductor grade neon supplies to the global marketplace. Unfortunately, with Russia’s invasion of Ukraine, those two companies shuttered their doors and 50 percent of the global semiconductor-grade neon disappeared from the manufacturing pipeline. While there are global stockpiles of neon to offset supply chain disruptions, experts predict that if the conflict drags on in Ukraine, it will likely cause further constraints for the broader supply chain and the inability to manufacture the end-products.¹²

With a supply chain in distress due to an ongoing pandemic and an armed conflict, this leads us to the doomsday scenario—what happens if a victim experiences a destructive malware attack and cannot buy or source enough devices to get back online? And if the victim can procure enough devices, how will supply chain shortages further impact inflation? While there is no guarantee this type of attack will happen or that malicious actors will repurpose these pieces of malware in this way, there is a historical precedent in NotPetya that it can occur. However, what differs is that the NotPetya attacks did not occur under global supply chain distress. With eight new pieces of highly sophisticated, destructive malware running around, that is eight new potential NotPetyas to account for by security professionals. So, I will say it again…I am not saying it will happen, but I am saying the conditions appear right. And if it happens to you, how long can your business be offline and survive?

Cyber insurers are watching these trends and share our concerns.

NotPetya served as a wakeup call for cyber insurers with regard to the global financial impact associated with the systemic risk arising from this kind of destructive malware. Relatively low cyber insurance take-up rates at the time meant the impact to the insurance industry was significant, but not devastating. As more organizations have sought to procure cyber insurance, up from 26 percent in 2016 to 47 percent in 2020,¹³ cyber insurers are reviewing their portfolios to determine their exposure to evolving categories of systemic risk and taking steps to ensure solvency if a systemic cyber loss were to occur today.

In addition to destructive malware events like NotPetya, insurers are reviewing increasingly relevant scenarios such as an outage of a major cloud provider or the impact to underlying financial system infrastructure. A 2018 study by Lloyd’s of London modeled the potential insured loss resulting from a five to 11-day outage at one cloud provider totaling $19.49 billion.¹⁴

Increased market concentration, paired with complex and often unrecognized connections across firms (including shared technologies and third-party service providers) can result in single or near-single points of failure in the financial industry, which can translate to increased vulnerability of the financial system to a correlated, systemic cyber event.¹⁵ Comparing these numbers to the total estimated annual cyber insurance premiums of $8 billion to $10 billion, it becomes clear why insurers have solvency concerns when reviewing their portfolio’s exposure to these events.¹⁶

Almost all cyber insurers are now gathering underwriting information from their insureds related to shared service providers, single points of failure, supply chain exposure, and other systemic risk factors. As a result, some carriers are modifying coverages and terms. The global insurer Chubb was the first to introduce the concept of differentiated coverage for widespread cyber events vs. limited impact cyber events, in addition to reviewing coverage offered for known cyber vulnerabilities / exploits, software supply chain exploits, and zero-day exploits.¹⁷

More recently, Beazley, a leading global cyber insurer backed by Lloyd’s of London, has also formalized its approach to addressing systemic cyber risk, which focuses on sub-limiting coverage for losses arising out of an outage at one of four major cloud providers lasting greater than 72 hours.¹⁸ Additional steps taken by many insurers include reducing or excluding coverage for loss arising out of cyber attacks to an insured’s supply chain. We expect more cyber insurers to review the means by which they can manage their portfolio’s exposure to systemic cyber risks in the near future which can further change how cyber insurance coverage is offered for these risks.

There has to be something we can do to stop this?

The good news is that an immense number of talented researchers in the cyber security community have identified and analyzed the malware observed in the Ukraine conflict as well as the new malware used by the Iranian government against Albania. The internet is full of comprehensive lists of recent destructive malware, indicators of compromise, detailed forensic accounts of each piece of malware, and the ways to prevent infection.

One of the most comprehensive lists so far is here.¹⁹ In addition to being aware of the malware, it is prudent to make sure you have a disaster recovery plan and to assess your supply chain redundancies for devices, identifying alternative sources of devices in case of an emergency. Equally, confirming you have an incident response plan in place and running tabletop exercises to prepare for the worst-case scenario are some of the critical steps needed for preparedness. As always, good cyber hygiene includes having sufficient network segmentation, having off-site and offline backups, utilizing endpoint detection and response (EDR) solutions, employing internal monitoring, implementing phishing prevention, and mandating cyber security awareness training for all employees, among other things.

In regard to proactive services, consider conducting a Threat Hunt or Adversary Simulation—both of which can help detect a malicious actor lurking in your system prior to a breach.^20,21 Additionally, implementing procedures to minimize credential theft, prevent account abuse, and to secure internet facing systems and remote access solutions are beneficial, too. Finally, consider how risk transfer, either through traditional cyber insurance or other alternative methods, can serve as a financial backstop for your organization’s balance sheet in the event that cyber risk mitigation fails.

There is no one cookie-cutter cyber security risk mitigation and management solution for all companies. The best solution applies the concepts above to your business while protecting your most important data and devices. To achieve this, we recommend that you assess your security posture baseline and try to mitigate your key risks.

Further Aon's insights and additional reading on the topic

Aon Cyber Solutions is the only firm positioned to take you through the entire cyber security lifecycle - from your cyber maturity assessment through your cyber insurance process. Click here for more information on our Cyber Loop: A Model For Sustained Cyber Resilience.²² For further reading on the conflict in Ukraine, Aon released a comprehensive report in conjunction with Lloyd’s of London entitled “Ukraine: A Conflict that Changed the World”²³. In addition to the above articles, Aon’s 2021 Global Risk Management Survey identified cyber-attacks/data breaches, commodity price risk/scarcity of materials, business interruption, and supply chain/distribution failures in the top ten global risks even ahead of the conflict in Ukraine and events further exacerbating the global supply chain. Be on the lookout for more Aon insights on Aon.com over the coming months. Despite the challenges ahead, we are here for you when you need, every step of the way.