When is a Cyber War a Real War?

Episode Resources:

• Resilience Cybersecurity & Data Privacy
• M-Trends 2022: Mandiant Special Report
• Verizon Data Breach Investigation Report (2022)
• Cost of a Data Breach Report – IBM (2022)
• State of Ransomware – Survey and Report (2021)
• State-sponsored hackers in China compromise certificate authority – Ars Technica
• North Korean state-sponsored hacker group Lazarus adds new RAT to its malware toolset – CSO Online
• North Korea Knows How Important Its Cyberattacks Are – Foreign Policy
• Merck Wins $1.4bn NotPetya Payout from Insurer – info security Group
• Merck’s $1.4 Billion Insurance Win Splits Cyber From ‘Act of War’ – Bloomberg Law
• Cyber War and Cyber Operation Exclusion Clauses – Lloyd’s Market Association

Episode Transcript

Ryan: All right. Hello and welcome to the fearless paranoia podcast where we take complex cybersecurity topics and we demystify and break them down for the average everyday business owner and listener. My name is Ryan. I’m a cybersecurity architect and specialist and I’m here today with Brian. 

Brian: Yeah, I go by a cybersecurity attorney. But you know, it’s not too catchy. So we’ll just we’ll go right into what we’re discussing today. Because today we’re talking about war. That stuff that sounds fun as a an eight to 10 year old boy, but becomes an absolute nightmare once you understand what’s really going on. And it’s constantly in the news. But I want to take you back to an event I was in Munich, my wife and I were spending some time in Munich, she was actually there for a graduate class undergraduate program. And I was getting ready to fly back to the States getting ready to go to the Munich Airport, which gorgeous airport. Munich has an amazing train system. So I’m going to get on the train and I put my credit card in to get a train ticket and about two and a half hours before my flight, nothing’s happening. I put in another card. Nothing’s happening. All of the electronic payment systems for the Munich train system had been knocked out by the Wanna Cry ransomware. Now fortunately, I was in Germany, and Germany is very cash based society. So I had a bunch of euros on me and I was able to get on the train. Oh, by the way, the difference between Europeans and Americans is summed up nicely by the two gentlemen sitting across from me on the train to the airport, they were taking a train to the airport to fly to South Carolina, where they were going to do work for the company that they work for BMW in the United States. Can you imagine any BMW employee taking the train to the airport? I can’t, but want to cry was ransomware supposedly released by North Korea, and it somehow got loose and infected a ton of systems. Same thing happened several months later with the Not Petya ransomware.

Now, obviously, yeah, we’ve talked about ransomware. We’ve talked about, you know, systems being taken down by gangs by threads who have financial motive, state-based hackers are a much much different animal to deal with in the wild and have much bigger implications or rather much different implications. When it comes to your business, specifically, how you recover from it. We’ve covered the basics of cyber liability in a previous episode, one that Ryan you are, I’m sure you’re very happy about having missed due to your civic responsibilities, you know, talking about the basic understanding of what cyber liability covers. Today, we’re going to discuss something very specific, and it’s what’s been referred to as the war exclusion. Now language is language varies all over the place, from policy to policy of what this is, but the basics look a lot like this, quote, loss or damage caused from hostile or warlike action in a time of peace or war. Well, why is this important? It’s because of some of the biggest international cyber attacks have been strongly linked or are believed to be linked to countries who are attempting to attack the infrastructure of another country. It happens it happens a lot. We crippled Iran’s nuclear program with a virus. China and North Korea are constantly hacking foreign governments and corporations for any number of reasons. Oftentimes, espionage on a daily basis, if a tool exists, that one country can use to gain an advantage over another country, that tool will be used somehow. That’s just the reality of the world we live in. Our best ideas are always weaponized. So what we want to talk about today is how as a small business, you need to understand this concept of the state based or nation based attacks. We’re going to talk primarily about the two attacks, wanna cry and not Petya. These viruses cost billions of dollars in damages when they hit they were also linked to North Korea and Russia respectively. So there’s a lot of reasons why we need to know about these types of attacks. And I want to start Ryan by talking about kind of the technical things. What did these viruses do?

Ryan: Well, to take a look at both of these, they were there was a lot of similarities between wanna cry and not petty, but one of the primary differences between them I think, was the intent and the final goal behind both of them. Both of them leveraged heavily an exploit chain known as eternal blue, which was recovered from the NSA through the Shadow Brokers exploit and leak campaign. It was a protocol issue with with SMB, which is Server Message black on a very high level. In most cases, it’s used for file access back and forth through a file system. In a lot of cases, most people leverage SMB primarily for sharing file shares and things across networks. And that’s where it opens up a lot of interconnectivity between systems, which was heavily leveraged to exploit the worming capability of the tool which is what made wanna cry and not petty are both extremely devastating, not just because of what they were capable of doing at their core, which is either encrypting files for ransom in the case of wanna cry or more, brutally encrypting the files for ultimate wiping and destruction, which was kind of more the case with not Petya. They both leveraged that same level of exploit to be able to worm fast and effectively from system to system to make sure that not only were they effective at accomplishing their goal, but they would do so on as widespread of a scale as possible.

Brian:   You’re listening to the Fearless Paranoia podcast, we’re here to help make the complex language of cybersecurity understandable. So if there are topics or issues that you’d like Ryan and I to break down in an episode, send us an email at info@fearlessparanoia.com or reach out to us on Facebook or Twitter. For more information about today’s episode, be sure to check out Fearless Paranoia.com We’ll find a post for this episode containing links to all the sources research information that we have cited to you. And also check out our older posts and podcasts as well as additional helpful resources for learning about cybersecurity. Now, back to the show. 

Brian: I know that recently there’s been some additional, there’s been some there’s always new ransomware and new whatever tools but there’s a tool that came out recently and several researchers have been discussing the the idea that it’s nation based primarily because of the complexity of the virus itself. It doesn’t necessarily achieve a more significant or greater end result if it’s successful. But it seems that one of the common links between these nation state attacks is the complexity of the virus. Is that the case? And why is that the case?

Ryan: Yeah, I think the complexity behind some of these not even necessarily just complexity behind malware, but behind the complexity of the entire attack chains that are being assembled now kind of shows that there’s a distinct difference in the threat actors that are out there. A lot of us in the in the IT cybersecurity or even some just the broader industries are familiar with the term script kiddies where you grab any person with some basic level it knowledge, they’ll get a hold of a tool and start throwing it around to see what happens with it. And there’s some tools that can be pretty brutal at that level. However, they’re not usually sophisticated and most well defended perimeters, enterprises, etc, are able to quickly shrug off most of those because they’re known threats. And again, there’s no change in the configuration. It’s a very default style attack malware. And the delivery mechanisms again started very simply, they’ve slowly got more complex on how they propagate on how they attack. But now there’s even bigger attack chains being assembled. And that level of complexity really speaks to having a lot of funding, it speaks to gathering and being able to employ and maintain some pretty intense talent to be able to piece these pieces together. It involves, frankly, for the most part, it involves some theft of knowledge from others, whether that’s leveraging open source tools in ways that they weren’t intended. Or again, like in the case of eternal blue, North Korea didn’t develop the technology on their own, they somehow found a way to exfiltrate that from the NSA, who had internally either developed the tool or again had picked it up are procured through some other means that story

Brian: in itself, I think was always one of my favorite to reference anytime someone suggested that, for example, an encryption tool, a backdoor of sorts that only law enforcement has access to is an absolute pipe dream. Because once you create a door, you have to expect that anyone can walk through it. The NSA, possibly the world’s most secretive government agency, created the tool that caused such widespread damage. And it causes damage because it got out

Ryan: That’s exactly right. So they’re in the espionage game the same as those divisions of North Korea’s either military or government. Same with China, Iran, Russia, everybody else. I mean, most, I would assume most governments that are of decent size and have, you know, a decent capacity in their budget to be able to put together cyber program has already started to do it at this point. And they all want to, you know, be the fastest, the biggest the best. They all want to leverage all those capabilities. And so yes, they you know, North Korea took advantage of this particular leak, and they were just one of the first ones to add widespread weaponization to this tool in a public manner. I would assume that tool wasn’t developed within days and leaked, I’m assuming that they it’s probably a safe assumption that the SMB exploit was probably sitting in the NSS playbook for quite some time before it was leaked, which means that they had probably been using it on a much more quiet scale to accomplish similar goals with different ends, I would assume, right? They want to be able to propagate quickly through networks, but probably with tools that are more geared towards again, whatever their ultimate goals were in the case of wanna cry, they wanted to get notoriety. They wanted to cause widespread disruption and they wanted to make some money while doing it, which are all some of the primary The goal is that we’ve seen out of the cyber forces in the cyber attacks coming out of North Korea, they’re usually doing it either for political means for notoriety means or for financial gain.

Brian:   You’re listening to the Fearless Paranoia podcast for more information on keeping yourself your family and your company protected against cyber threats, check out the Resilience Cybersecurity and Data Privacy blog. If you’re enjoying this podcast, please like and subscribe using any of your favorite podcast platforms.

Ryan: That’s where not Petya kind of took a deviation. Again, it was built off of that similar same exploit chain starting with the ability to worm quickly through use of eternal blue. But they also tie it in some other pieces to make it spread even more in a more available manner by tying in pieces like mimic ATS, which is a credential harvesting or credential dumping utility. So not only was it available to spread just through unauthenticated, SMB chain, but now they’ve got credentials, which means now they can use authenticated SMB and authenticated means to traverse those networks as well. So now you can even get into systems that maybe would have been locked down by a general authentication layer. So the weapon capabilities got even more impressive and not Petya. But what got even what was even more worth note was that there there was no plan to be able to reverse it like in the case with wanna cry where North Korea did I think want to make money off of wanna cry. And so they had the ability to decrypt for a price because it helped them gather money not petty, I believe it was purely propaganda for the sake of disruption and trying to really cripple an enemy like you said in the you know, in the the war clauses that were talking about, they wanted to bring things to a standstill and a halt. And so it was created to be more of like a destructive wiper that it was really to be like a ransom tool.

Brian: So Merck Pharmaceuticals is a major international company and they were directly impacted by not Petya. They had damages in the hundreds of millions of dollars of information loss because as you said, Not Petya, even though it masqueraded as ransomware, it was actually a wiper, it made it so that the information that was locked up could never be accessed again, which is essentially just as bad as deleting it entirely. So they suffered hundreds of millions of dollars in indirect damages and then lost hundreds millions more in fees and lost business, everything like that. They sued their insurance company because their insurance company denied coverage. I’ve written a lot about this particular case. And you can see links to that in the post that accompanies this. But the key elements are the policy had a disclaimer, as I read at the beginning, loss or damage caused some hostile or warlike action time peace or war. Now the insurance company said that internationally, experts agreed that not petty ransomware it was an attack initiated by Russia against Ukraine that essentially got loose, and thus so Merck Pharmaceuticals, you know, in their lawsuit they’ve they’ve sued to recover these damages. And the insurance company responded saying this was an act of war Russia against Ukraine, and that this is collateral damage. Now, you’ll see in some of the other things I’ve written about this case that the judge in New Jersey that decided that the war exclusion did not apply, didn’t actually do many people a favor in the way they decided what he decided is that this term, the warlike action, and this language, the language of the policy governs how it works, the language hadn’t been changed, like I said, since World War One. And the result of that was the judge essentially said that no one at Merck could possibly have understood that, based on that terminology that was not further defined, applied to a company whose servers are based in England, far from where the geographic bounds of this conflict would have occurred. And were not a part of the Ukrainian government were not involved in any way in the hostilities between Russia and Ukraine at the time that they would somehow be barred from recovering under their policy, because of that warlike action. Now, there are a lot of other ways the court could have ruled the court could have said the distance from the conflict was, was what did it the court could have said that, you know, this policy doesn’t apply, because cyber attacks between nations doesn’t involve the traditional concept of boots on the ground, which is usually how courts have interpreted these things, but essentially said that the terms of the policy didn’t properly advise the insured Merck, that this kind of thing would be excluded. The big downside of that is that now all of these insurance companies are modifying the language of their policy to extend to all sorts of stuff about this, but the biggest issue here is this was never going to be any question under the war exclusion unless the insurance company could say A ha, we know that this virus was created by one country targeting another country and that it was unleashed for that purpose, that it was a warlike action that it was so I think between two existing governmental bodies of different nations, we’re talking about attribution, being able to say to at least a reasonable degree of certainty where an attack came from who perpetrated it, what it was for?

Unfortunately, we’ve run out of time on this week’s episode of the podcast next week, we will resume right where we left off and Ryan will help us walk through exactly how attribution for these types of attacks is possible and how that impacts you as a small business owner if you happen to be the victim of one of these attacks. Thank you for tuning into the fearless paranoia podcast for Ryan. I am Brian. We hope to see you again next time. Don’t forget to subscribe to our podcast on any of your podcast subscription systems, apps or platforms and we’ll see you next time.