Technically sophisticated attacks always garner headlines but the impact of operations that use more basic methods can’t be discounted. Sometimes the less technically advanced attacks cause more harm than the ones with significant resources behind them.
Take the destructive attack against a petrochemical company’s plant in Saudi Arabia that was detailed Thursday in The New York Times. Destructive attacks, which Cybereason’s intelligence team named as one of five security trends to watch for in 2018, aim to cause substantial physical damage instead of erasing hard drives and stealing data.
The goal of this attack, which occurred in August against a company that hasn’t been identified, aimed to cause the ultimate physical damage and “sabotage the firm’s operations and trigger an explosion,” according to the article.
Given the level of sophistication behind the attack and the financial resources it demanded, analysts interviewed for the article claimed a nation-state was behind it. The attackers would have to know how to infiltrate the industrial control system used by the plant and understand the plant’s design. Knowing what values to turn to trigger an explosion likely required purchasing the safety system used by the plant, the components of which could be purchased on eBay for $40,000, according to the article. Additionally, customized tools, which are costly to build, were used in the operation.
Despite the extensive resources invested in the attack and the sophistication it required, the campaign failed. An error in the attackers’ code prevented any destruction from occurring and shut down the plant’s production systems instead.
Compare that outcome to the fallout from last June’s NotPetya attack, which crippled major businesses like food and beverage company Mondelez International, shipping giant FedEx and Maersk, one of the world’s largest container shipping operators. While initial reports classified NotPetya as ransomware, it was later determined that the program’s behavior more closely matched a master boot record (MBR) wiper, which is a very basic technique. Thousands of dollars weren’t required to purchased industrial control system parts from eBay and the attackers didn’t require a deep understanding of the victim’s IT environments. They just used a simple technique that would inflict the most damage.
But this very basic attack had a devastating effect that went beyond re-imaging machines and restoring data from backups: companies lost an estimated $1.2 billion in combined quarterly and yearly revenue as a result of NotPetya. Ultimately, NotPetya caused serious damage, knocking organizations offline for weeks as they tried to recover from the attack.
Ultimately, cheap, dirty and effective is all any actor needs to play in this arena, a realization that many are having. With destructive attacks, causing major physical damage doesn’t necessarily require advanced tools. For the private sector this means their focus should be on mitigating the increased risk of being hit by unsophisticated, yet effective destructive attacks.