Potential new state-sponsored attack

15 April 2019

In early March, a multinational software company warned that hackers, possibly associated with a nation-state, had accessed its internal network. The hack is concerning on a number of fronts, as the company provides virtual private network (VPN) access and credentials to hundreds of thousands of organisations globally.

Details of the cyber attack are limited as of this writing; the company has publicly acknowledged that hackers may have accessed and downloaded internal business documents.

The company says there is no indication that the security of its products or services was compromised, and it is working with the FBI, which warned the company of the attack.

It is possible the hackers used a tactic known as “password spraying”, a technique that exploits weak passwords.

After gaining a foothold, with limited access, hackers can work to circumvent additional security layers.

Potential new state sponsored attack State-sponsored attack?

The company has said it suspects that “international cyber criminals” gained access to its network. Cyber attacks increasingly lead to questions regarding the potential involvement of state-sponsored actors, whose deep pockets and political motivations can trigger significant economic consequences.

In fact, concerns regarding state-sponsored attacks helped push cyber risk into the top five concerns of global executives in the World Economic Forum’s 2018 Executive Opinion Survey.

Such attacks underscore a growing need for organisations to deal with more complex attacker motives, vectors, and outcomes than simply commercially focused criminal activity.

Event response

The company involved in the March event said it continues to investigate the incident, and has taken a number of steps in response.

Typically, best practices following a cyber attack include:

  • Security measures to ensure the hackers no longer have access.
  • Investigations with outside resources to assess whether products or series were compromised.
  • Disclosure to appropriate authorities under a variety of regulatory requirements.
  • Updates to customers and key stakeholders.
  • Cooperation with authorities such as the FBI.

Wake up call

The breach of a key internet infrastructure or service provider has long been a concern for insurers mindful of systemic risks or aggregations of exposure. Cyber attacks, like the 2017 WannaCry and NotPetya malware attacks show the potential scale and scope of risk from a single cyber event. Lloyd’s recently estimated that a global ransomware attack could cost USD 193 billion and affect 30 million devices and over 600,000 businesses worldwide.

The reliance on a relatively small number of cloud service and software providers is also a source of systemic risk for insurers. According to a 2017 report from the Cambridge Centre for Risk Studies, risk is increasingly concentrated for a small number of cloud service providers. For example, in 2017 a four-hour disruption at a cloud service provider cost S&P 500 companies USD 150 million, according to analysis by Cyence.

Attacks against service providers, which are widely used by organisations and large corporations, could generate a large number of claims for insurers. The distributed denial of service (DDoS) attack against an internet infrastructure provider in 2016, for example, affected hundreds of companies.

For more articles like this, download our Cyber Decoder
Cyber Learn more about cyber insurance solutions and risk management >>

Sarah StephensTALK TO AN EXPERT

If you would like to talk about any of the issues raised in this article, please contact Sarah Stephens, Head of Cyber on
+44 (0)20 3394 0486.

As part of Marsh JLT Specialty's London-based Financial Lines Group, Sarah and her team work both directly with our clients and with network colleagues and independent partners to make sense of cyber, technology, and media E&O (PI) risks and create leading edge bespoke insurance solutions in the London market.

Prior, Sarah spent 12 years with Aon in a variety of roles. Her last role at Aon was Head of Cyber & Commercial E&O for the Europe, Middle East, and Africa (EMEA) Region, working with colleagues across business groups and clients in the region to identify, analyse, and drive awareness of cyber risks, exposures, and both insurance and non-insurance solutions.

Previously, Sarah spent seven years with Aon’s US Cyber and Errors & Omissions practice group thinking nonstop about cyber insurance way before it was cool. Her first four years at Aon were spent in the Account Management group working with large clients and developing a keen eye for excellent client service.

View our latest cyber videos here