The threat landscape has changed dramatically in the past few years. While IT pros certainly still have to worry about hardware failures, natural disasters, and attackers looking to steal data or encrypt it for ransom, there’s a highly alarming recent development: More and more attacks are designed to totally annihilate a company’s IT infrastructure. Are you prepared?
Many companies aren’t — even ones that probably should have been. Consider email provider VFEmail. One of its key selling points was its ability to detect spam and malware, and it had suffered multiple debilitating DDoS attacks over the years. Yet in February of 2019, hackers managed to format all the disks on every file and backup server in its U.S. infrastructure, destroying all the email data for its U.S. customers. The attackers also went after the company’s IT resources in the Netherlands but were caught in the act, which enabled the company to salvage some of its backup data. The company expected to fold but it is still clinging to life. After the cyber attack, its CEO and founder Rick Romero tweeted, "I never thought anyone would care about my labor of love so much that they'd want to completely and thoroughly destroy it."
Don’t make the same mistake — “this won’t happen to me” is simply not a viable mindset. The fact is, destructive attacks have a wide range of motives. You’re probably aware that hacking by nation states is increasing. For example, experts believe that the Stuxnet worm was developed jointly by the U.S. and Israel to disrupt Iran’s nuclear program by causing centrifuges to spin so quickly that they tear themselves apart. In 2010, more than fifteen Iranian facilities were infected and almost one fifth of the country’s nuclear centrifuges were ruined. Similarly, the 2012 Shamoon attack was likely designed to target the Saudi government by crippling its national oil company; it succeeded in wiping the hard drives of three quarters of the 40,000 workstations there. A consultant for the recovery operation reported that Saudi Aramco had to rebuild its security operations center from scratch and that it was five months before its system were finally back online. He noted that the attack would have easily bankrupted a smaller organization.
“Ah,” you say, “but my company doesn’t have any political enemies!” Well, even if that’s true, you still can’t rest easy. There are hacktivists who engineer denial of service (DoS) attacks against organizations oppose their ideologies — or that simply take actions the hacktivists don’t like. For example, in 2010, hackivitist group Anonymous brought down PayPal.com and disrupted the sites of Visa and MasterCard in retaliation for their cutting off service to Wikileaks. Those companies weren’t even actively trying to hurt Wikileaks; they were just obeying a mandate from the U.S. government. Then there are the insider threats, such as disgruntled users. When an IT admin at UBS Paine Webber quit his job, he allegedly left behind a logic bomb that later brought down some 2,000 servers and deleted all the files on them. The damage was so severe that employees had to resort to pen and paper to conduct trades and other business, and the company spent at least $3 million to get their systems restored. Duronio’s motivation? He was apparently disappointed with his bonus, which was $18K short of the $50K he was expecting, and planned to make up for it through orders he placed shorting UBS/PW stock.
Still not convinced that anyone, external or internal, would deliberately try to destroy your company? Well, the sad truth is, you don’t have to be the target of an cyberattack to suffer devastating consequences — you might just be collateral damage. Ever hear of NotPetya? The architects of that attack were clearly targeting Ukraine; an estimated 80% of all infections were in that country. But companies around the world suffered staggering damage. One hard-hit victim was shipping giant Maersk: Its shipping terminals across the globe were at standstill for days, with tens of thousands of trucks turned away and containers of perishable goods going without refrigeration. The cleanup involved rebuilding 4,000 servers and 45,000 workstations and cost the company at least $250 million.
“Okay, okay,” you might be thinking, “a destructive attack could happen to us. But aren’t our current strategies good enough?” Probably not. Today’s destructive attacks are not just extremely damaging and expensive; they’re also blindingly fast. The attack on VFEmail erased virtually the company’s entire infrastructure in just a few hours. It took just 45 seconds for NotPetya to bring down the network of a large bank, and a portion of one major transit hub was fully infected in 16 seconds. They are also increasingly sophisticated; for instance, a new variant of Shamoon is even more destructive than the previous ones because it deletes all files from infected computers before wiping the master boot record, making recovery of the files not just difficult but impossible.
So what can you do to avoid being the next victim of a destructive attack? The short answer is that you need to layer together best-practice techniques and automate as much as possible using best-in-class solutions. For a fuller answer, check out the tech brief “Preparing for Attacks that Seek Total Annihilation.” It explores the attacks I’ve mentioned here in more detail, including exactly how they unfold. Then it reveals the top strategies you need to fortify your defenses, spot malicious activity in time to prevent serious damage, and build a comprehensive disaster recovery strategy so you can get your company back up and running if the worst should come to pass.