Attackers have launched a destructive attack against the business systems of U.S. companies, according to an FBI warning issued this week.
The confident, five-page FBI “flash” warning obtained by Reuters contains technical details about the malware, which overrides all data on hard drives and then wipes the master boot record, preventing systems from starting. The memo comes in the wake of a purported attack against Sony Pictures Entertainment. Sony reportedly hired FireEye’s Mandiant arm to assist with gaining control of its corporate email and other endpoint systems that have been crippled by an attack for days. The firm has remained quiet about the details of the infection.
Solution providers told CRN that the destructive malware could pose a tremendous risk to financial services firms, but said most organizations manage multiple backups as part of system redundancy and business continuity plans. System backups are absolutely critical, said Kevin Wheeler, founder and managing director at Dallas-based information security services company InfoDefense. Antimalware needs to be in place and organizations need to be proactive about finding issues that could signal an attack, Wheeler said.
“There are a lot of technologies that should be in place, but it is absolutely essential that organizations have a good incident response plan,” Wheeler said. “Being able to respond to incidents in a methodical and consistent manner is important to minimize the damage.”
It’s not the first time that destructive malware has come to the forefront. In 2012, Aramco, Saudi Arabia's national oil company, had 30,000 systems infected by Shamoon in an attempt to disrupt oil production. Shamoon targeted Windows NT systems and spread through network shares. It took Aramco a week to recover from the attack, which involved deploying new workstations. The Stuxnet worm, a nation-state attack aimed at disrupting Iran's nuclear centrifuge program, targeted the programmable logic controllers being supported by Siemens industrial control systems. That attack ended up having collateral damage, infecting industrial control systems at organizations globally.
In addition to cyberattacks delivered by nation-states as part of cyberwarfare or cyberterrorism, destructive attacks can be waged by hacktivists, hell-bent on disrupting or bringing their target down as part of supporting a political movement or belief. Organizations that run local water treatment facilities, small municipalities, manufacturers and other business owners need to pay attention to these dangerous attacks, said Wheeler, who recently gave a presentation about security threats to officials who operate industrial control systems.
“An attacker can hit a pipeline and disrupt oil flow to have a national impact, or disrupt police department systems to cause local damage,” Wheeler said, adding that the FBI warning about destructive malware appears to pose a significant threat to national security. "When you are trying to destroy information and bring down systems, it becomes a national security issue."
Financially motivated cybercrime also can have a destructive and costly impact. Solution providers said they also have been helping clients recover from ransomware attacks that have caused costly disruption to businesses. Threats such as CryptoLocker and CryptoWall encrypt system files and attempt to extort a payment to unlock them from victims. CryptoLocker infected hundreds of thousands of computers and is said to have generated losses exceeding $100 million. Attackers also have pushed the envelope, adding password stealers to ransomware variants.
"Some organizations that continued to do work after they were infected lost all that data," said Jim Flynn, vice president of operations and chief security officer at data backup vendor Carbonite, which established a ransomware task force to deal with the threat. "Most organizations recovered but still lost about two weeks of backups."
PUBLISHED DEC. 2, 2014