The recent Shamoon attack on the Italian firm Saipem is a cautionary tale about the danger posed by metastasizing third party risks as the Internet becomes the stage for geopolitical power struggles.
By Paul F. Roberts
The Italian firm Saipem, which services the oil industry, was on the receiving end of a malware outbreak over the weekend of December 8, 2018, according to a company statement (PDF). The attack affected about 300 to 400 servers and 100 personal computers on the company’s corporate network, according to a report by Reuters.
While that might not be unusual, the malware used in the attack was. Analysis of the malicious file determined that it was a variant of the Shamoon malware, a destructive “wiper” program that has been linked to earlier attacks on oil firms in the Middle East including Saudi Aramco, a Saudi Arabian firm, and RasGas, headquartered in Qatar. In the case of the original Shamoon outbreak in 2012, the malware infected and erased data on some 30,000 systems on the Saudi Aramco network, forcing a months long recovery process at the firm. Shamoon popped up again in late 2016 in another round of attacks against oil firms in the Middle East- that attack was just ahead of a meeting of OPEC at which oil production cuts were to be introduced.
A friend of my enemy is…
Those earlier attacks and the Shamoon malware have been labeled “advanced persistent threat” (or APT) attacks and linked to hacking groups with ties to the Iranian government, a regional rival of Saudi Arabia. So why attack an Italian firm best known for deep sea oil drilling? There’s a three word answer: Third. Party. Risk. It turns out that one of Saipem’s biggest customers is – you guessed it – Saudi Aramco, a high profile target of the Shamoon APT group. In all likelihood, Saipem was not a direct target, so much as a vital link in Saudi Aramco’s supply chain that was also vulnerable to attack.
Welcome to the 21st Century’s equivalent of the “Great Game” – that (in)famous contest for geopolitical advantage between the British and Russian empires in the 19th century. Only these days, the theater of conflict and confrontation is not in the foothills of Afghanistan or Uzbekistan, but online: as the world’s great and emerging powers carry out operations with determination and – mostly – impunity all over the globe.
The Shamoon attack on Saipem shows how the growing clout and ambition of nation state actors online makes it more important than ever (and harder than ever) for organizations to understand the web of first-, second, and third party cyber risks they face.
Consider, for a moment, the long list of Fortune 500 firms affected by the NotPetya wiper malware, which appeared in June, 2017. Firms like Merck Pharmaceuticals, Federal Express, AP Moeller Maersk, the global shipping firm, and candy maker Modelez were crippled by the virulent malware, which erased the hard drives of systems it infected. Affected firms realized losses in the tens- and hundreds of millions of dollars. FedEx, alone, estimated its losses from NotPetya at $400 million.
What was their exposure? In many cases it was an obscure, Ukrainian financial software package known as MEDocs that provided the initial point of entry for NotPetya. In other cases, firms had yet to apply a patch for a critical vulnerability in Microsoft Windows that was exploited using an NSA-developed tool dubbed “EternalBlue.” While none of the firms, themselves, were direct targets of the group behind the malware, they were all collateral damage in a long-running physical and cyber conflict between Ukraine and Russia.
Refiguring third party risk
But if the risk posed by third parties is growing more complex, is there anything companies can do to manage it? The short answer is, “Yes.”
Know your stuff
To start with, organizations of all sizes need a better grasp on the hardware, software, and services at use in their organization. Knowing what software and services are operating within your environment is the first and most important step to limiting your exposure to third party risk.
As the NotPetya incident indicates, even innocuous applications can become avenues for devastating attack. That’s especially true of cloud-based platforms that have blossomed in recent years, forming a kind of “shadow IT” deployment within your organization. Tools such as Slack, Salesforce.com, and Dropbox are powerful collaboration and sharing tools, but they can also be weaponized by an enterprising external actor or a malicious insider. So know that they’re there, make sure they’re deployed securely, and have a plan to manage any risks they present.
Know your data
Knowing what sensitive data your company owns is just as important as knowing the IT assets in your environment. Stolen personally identifying information has monetary value on the cyber underground. Even absent financial data like credit card numbers and proprietary customer data could be used as part of identity theft schemes or a larger, nation state operation. (For example: Marriott’s stolen guest data is believed to have been stolen by Chinese government hackers and could be used to map the movement of persons of interest.) Your sensitive intellectual property could be stolen and used to give competitors a leg up on you in the marketplace. Do a data audit of both on premises and (increasingly) cloud environments to make sure you’ve accounted for any sensitive and (especially) regulated data, then make sure you have adequate safeguards protecting that data, including encryption for data at rest and in transit, strict user access controls, adequate logging, and so on.
Put a human in the loop
Speaking of “managing the risks” of third party software and services: one recurrent theme in recent vendor compromise stories is the decision by downstream software users to enable automatic update or configuration features. In the case of NotPetya, sophisticated attackers were able to compromise the parent company MeDoc and disguise the malware as a signed software update. Companies that had configured their software to automatically download and install that update were infected. Organizations that didn’t enable the automatic update didn’t. Put a human in the loop for software updates and other changes so you don’t get caught off-guard.
Accept what you don’t know
Ultimately, you won’t always have direct visibility into all your nth-party risks. That’s why it is important to seek the counsel of those who can provide you insights into your most pressing risks and also notify you to unseen threats and dangers. Third party risk scorecards might help you grasp your security posture at a single moment in time, but that doesn’t address the bigger issue – alerting of dynamic and evolving risks or threats. That’s only something a continuous monitoring solution can offer.
If the events of the last two years have taught us anything, it’s that third party risk is real and growing, and no organization is perfect at combatting it. However, the process becomes more manageable by partnering with organizations that have the tools and services that can control third party risk in a comprehensive way: by continuously monitoring third party hardware, software, and service providers for the presence of malicious threats and other Indicators of Compromise (IOCs).
Third party threat monitoring isn’t a panacea. It won’t solve your digital risk problem alone. But it is something that every company has to make a priority – or be prepared to pay the price!