
Merck’s NotPetya attack: Was it an act of war? - robdimarco
https://www.inquirer.com/wires/bloomberg/merck-cyberattack-20191203.html
======
drhagen
I worked at Merck for three years as a scientist and only left a week before
this went down. My former colleagues said they stood around and did absolutely
nothing for days and then struggled to get the tiniest amount of work done for
weeks.

The article chooses not to get into stunning mistakes by Merck's IT that
allowed this to happen in the first place. The patches for the EternalBlue
exploit were released by Microsoft on March 14, but Merck's IT chose to sit on
it for over three months. (Like many large companies, they disable Windows
update, choosing to release patches on their own schedule.) Even after the
WannaCry attack crippled computers around the world on May 12, they still had
a month before NotPetya brought them to their knees on June 27.

~~~
CoolGuySteve
While patches would have helped in this specific case, that's only because
Merck was collateral damage.

In a targeted attack, it's likely the foreign agency would be using a 0-day
attack.

The only way to protect against that is by reducing the OS monoculture,
offline backups, and using network air gaps on critical data.

But those practices are extremely rare in my experience.

If I was on unfriendly terms with the US, I'd use this as a case study on how
to cripple the economy by taking advantage of the large monocultures created
by lax IT in a hundred or so of the largest firms.

~~~
redprince
> In a targeted attack, it's likely the foreign agency would be using a 0-day
> attack.

A targeted attack is also expensive and the victim would need to have
something worth this kind of money and attention. "Nation state actor" just
isn't a reasonable risk assumption for a great many organizations.

> The only way to protect against that is by reducing the OS monoculture,
> offline backups, and using network air gaps on critical data.

When the "nation state actor" comes looking for you with some motivation, all
that and the air gap won't mean much. See Stuxnet.

Like J. Mickens said: "Basically, you’re either dealing with Mossad or not-
Mossad. If your adversary is not-Mossad, then you’ll probably be fine if you
pick a good pass-word and don’t respond to emails from
ChEaPestPAiNPi11s@virus-basket.biz.ru. If your adversary is the Mossad, YOU’RE
GONNA DIE AND THERE’S NOTHING THAT YOU CAN DO ABOUT IT."

[https://www.usenix.org/system/files/1401_08-12_mickens.pdf](https://www.usenix.org/system/files/1401_08-12_mickens.pdf)

~~~
MrMorden
Nation-state actors can be deterred by nation states. If Vova believes that
CNAing someone in the US will cause the US to bankrupt him and/or the people
whose support he requires to stay in power, he'll make damn sure this doesn't
happen. As long as the US does not demonstrate this capability and willingness
to use it, he'll continue to misbehave.

------
nabla9
It's up for the attacked (the US) to decide when the line is crossed and how
to respond. Russian strategy is to confuse as mush as possible possible. They
do cyber attacks, assassinations and political operations in the western
countries.

Obama used covert action against Russia in response to election meddling.
"Obama used covert retaliation in response to Russian election meddling."
[https://www.washingtonpost.com/news/monkey-
cage/wp/2017/06/2...](https://www.washingtonpost.com/news/monkey-
cage/wp/2017/06/29/obama-used-covert-retaliation-in-response-to-russian-
election-meddling-heres-why/) Trump is not responding.

Is hybrid warfare a warfare until it includes conventional warfare in the mix?

[https://en.wikipedia.org/wiki/Hybrid_warfare](https://en.wikipedia.org/wiki/Hybrid_warfare)

> Hybrid warfare is a military strategy which employs political warfare and
> blends conventional warfare, irregular warfare and cyberwarfare[1] with
> other influencing methods, such as fake news,[2] diplomacy, lawfare and
> foreign electoral intervention.

> The U.S. Army Chief of Staff defined a hybrid threat in 2008 as an adversary
> that incorporates "diverse and dynamic combinations of conventional,
> irregular, terrorist and criminal capabilities".[9] The United States Joint
> Forces Command defines a hybrid threat as, “any adversary that
> simultaneously and adaptively employs a tailored mix of conventional,
> irregular, terrorism and criminal means or activities in the operational
> battle space. Rather than a single entity, a hybrid threat or challenger may
> be a combination of state and nonstate actors".[9] The U.S. Army defined a
> hybrid threat in 2011 as "the diverse and dynamic combination of regular
> forces, irregular forces, criminal elements, or a combination of these
> forces and elements all unified to achieve mutually benefiting effects".[9]
> NATO uses the term to describe "adversaries with the ability to
> simultaneously employ conventional and non-conventional means adaptively in
> pursuit of their objectives"

------
LatteLazy
I really enjoyed this despite insurance usually being billed as dull. A few
points I don't see anyone else making:

* Act of war is poorly defined (and gets more poorly defined by the year). Since insurers use this term and (I assume) wrote the contracts, any reasonable question over its definition should be interpreted in the insured favour. That's how most contract law works since otherwise the contract writer has a perverse incentive to make their contract language unclear and then argue definitions and technicalities. That's not just dishonest, it creates unnecessary uncertainty and excess court cases and those cost everyone.

* I was sort of amazed by mention of the presidents pronouncements as if they mattered. Do they matter legally? They shouldn't: presidents are in no way a reliable source of information on geopolitical matters. Quite the opposite, they have the most motive to lie and its literally often illegal to expose that (if an NSA employee leaked classified proof it was NOT the Russians, they'd be imprisoned under the espionage act). Leaving aside the current presidents reliability, Obama pronounced on the Sony hack, blaming North Korea. Almost 5 years later and no evidence has been produced and plenty of people doubt that. Its also worth noting that no president should be empowered to effectively decide billion (trillion?) dollar lawsuits without oversight or scrutiny, they're not kings after all.

* Finally I thought how adult and reasonable Lloyds' response was. Both in settling the claim (assuming they did so for a reasonable fraction of what was owed) and requiring explicit cyber policies going forwards. That's the act of a group that is reasonable and wishes to take a long term, useful, role in the economy. Any bozo can sell "insurance" policies and then quibble over ever claim, the result is people stop buying. But honouring your commitments and correcting yourself going forwards is exactly what we need in insurers. I wonder what can be done to get US Corporate structures to follow a similar model?

------
gamedori5
So what does this mean for company cybersecurity? Will companies be motivated
to secure their networks by higher insurance rates? Will insurers hire infosec
auditors? Will insurers stop offering coverage, and leave companies to
consider hacks as Black Swan events?

~~~
RandomTisk
They would be very wise to hire their own auditors, not necessarily to go into
their client's businesses but to review the assessments most of them are
already getting periodically, to make sure that evidence presented actually
made sense and earned them a pass. It's been my experience that IT auditors
are often book smart, but IT-experience poor. Some are simply not savvy or
experienced enough to interpret their own framework the same way a week or a
month later.

------
Teknoman117
> One researcher told a colleague she’d lost 15 years of work.

You're telling me that you had never backed up anything in the span of 15
years?

~~~
pjc50
This happens far more often than it should. Non-experts simply don't realise
the importance of backups.

------
hdhgzwhegh
If the attacker doesn't declare war and the defender doesn't respond by going
to war then the blunt answer seems like it'd have to be a no.

~~~
Iv
The claim in the article is that the target was Ukraine, the attacker Russia,
and Merck a collateral casualty at an attempt to disguise a state-sponsored
cyber-attack as a criminal extortion attempt.

One would need to dig deeper to get a really informed opinion. I do believe
Russia to be able and willing to do that, I do believe the so-called "Western
intelligence agencies" to blame any malware on Russia or China on the
flimsiest evidences.

There is also the possibility that the same tools were used both by the GRU
and Russian criminals, leading to a misleading identification. Black hats
would totally take someone else's malware and modify it for their purpose
while still hiding their tracks.

Zero days are expensive to get but once they are exploits in the wild, they
are anyone's to use.

~~~
dvfjsdhgfv
If you analyze the NotPetya attack, it differs from other ransomware attempts
in two respects. First, it was specifically targetting Ukraine. Second, the
attackers didn't actually take any money but rendered all systems defunct. If
you are a criminal, you aim to make money, right? Why give up on that
possibility? It makes no sense.

So, even if in the infosec world you can never say never, but just as Stuxnet
is generally attributed to Israel/USA, in the same way NotPetya is attributed
to Russia, even though none of these countries will ever admit they actually
did it.

~~~
Iv
Oh I did not know that. The attack was behaving differently on Ukrainian
targets? That's a pretty damning thing indeed and makes the question of the
act of war very relevant.

Note that it could make sense to a pro-Russia Ukranian group to extort money
abroad and to hurt economically on the target. That seems to be the Russian MO
to not be directly implicated in the Ukrainian operations: help with tools,
weapons and money the groups that are already in place.

They give up direct control over the actions in exchange of deniability.

~~~
MattPalmer1086
As far as I know, it didn't behave differently on Ukraine targets. The attack
was on Ukrainian tax software M.E.Doc that businesses in the Ukraine are
legally mandated to use.

So it was targeted at the Ukraine, but plenty of multinational companies also
operate there, so they were collateral damage

------
dragonelite
Yeah sure, just like sanctions and tariffs are a economic way of doing war.
But how do you response with counter cyber attacks or sanctions and tariffs.

------
arminiusreturns
The main problem with allowing cyberattacks into the "declaration of war"
category against all known diplomatic norms, is that attribution is extremely
questionable. History is full of false flags done in the physical realm.
Cyberattacks will be no different, other than easier to perform.

------
FpUser
Speaking of war. Just to show how effed is the definition, here is the article
where they try to decipher between war, armed conflict, whatever else they've
come up with: [https://www.washingtonpost.com/world/national-security/is-
it...](https://www.washingtonpost.com/world/national-security/is-it-a-war-an-
armed-conflict-why-words-matter-in-the-us-fight-vs-the-islamic-
state/2014/10/06/f4528a6c-49a1-11e4-891d-713f052086a0_story.html)

------
dmix
Considering it hit the company by accident via a server in Ukraine the whole
act of war thing is really questionable.

It’s completely reckless use of malware and there should be consequences for
Russia not taking care of their offensive weapons and causing serious damage.

But phrases like “act of war” shouldn’t be thrown around like that. I highly
doubt that was Russia’s intention, which I think should matter, even if we
still find them at fault.

~~~
tqi
I don't think the accidental nature is the crux here. As I understand it, if a
Russian bomb had inadvertently damaged / destroyed a physical office in
Ukraine, the insurance would not have covered that either. The question is
whether or not this virus was an act of war (against Ukraine) or if this was
an act of vandalism/crime by an individual actor.

------
ga-vu
Yes it was. I think everyone from Five Eyes to private cyber-security experts
have said this already for the past two years.

~~~
piffey
No, it wasn't. And this over-militarized diction of cybersecurity is
dangerous. You want nation states to be bombing developers sitting in offices
due to a perceived threat because this garbage rhetoric is how that happens.

Oh wait, here we are. Hope your bunker is ready!
[https://www.zdnet.com/article/in-a-first-israel-responds-
to-...](https://www.zdnet.com/article/in-a-first-israel-responds-to-hamas-
hackers-with-an-air-strike/)

------
upofadown
If a country funds a bunch of script kiddies to attack something somewhere
does that make the attack a state action? If the state takes measures to
conceal the source of that funding then is it still a state action? If a group
of script kiddies takes action due to a general suggestion from a state actor?
If a group of script kiddies with political aims congruent with one or more
state actors takes action all on their own?

This stuff is fundamentally different than the case where a group of people
end up with guns and engage in politically motivated violence. It is really a
form of advanced trolling. The fact that absolutely anyone can do with with no
fear for their life or freedom makes it politically meaningless.

There is no such thing as cyberwar...

So insurance is really just about insuring against security lapses. It should
be priced appropriately and should come with requirements.

------
throwGuardian
Act of war against .... Merck, a company? I've heard of some circuitous logic
to deny insurance claims, but this was not an act of war against Merck, which
BTW isn't a country, so by definition, one can't go to war with it? Well,
maybe hyperbolically a competitor might, but unlike real war, they're bound by
the rules and laws of civil society

This is the very definition of an accident, if the article is to be believed,
with Merck not even being the target. Pay up insurers, this is why you exist.

Further, what is the point of insurance, especially for sensitive IP laden
companies like pharma research, if there's no protection against nationa-state
attacks, which isn't outside the realm of possibility for such companies.

~~~
marvin
While I’m opposed to using legal terms to weasel out of an insurance claim,
it’s an interesting question. If Russia deliberately dropped a bomb on Merck’s
factory, it would unquestionably be an act of war. Likewise if they dropped a
bomb on a neighboring plant and also accidentally destroyed Merck’s plant.

But dropping a bomb on a facility in Ukraine, with equally destructive
shrapnel destroying facilities all over the world? Knowing that using this
weapon can easily cause such collateral damage?

We barely have the terminology for discussing this type of warfare. The
initial attack was an act of war, certainly. Beyond that, we have to come up
with definitions and reactions. At the very least, it’s a subject for
diplomatic channels, maybe even sanctions.

~~~
gchamonlive
Dropping a bomb is not an act of war because of the target itself. It is
because to do it you have to violate the country's whole security system and
cause damage to the country's real state, which is an act of war, whereas to
invade a company's cluster of computers you don't have to compromise the
country's whole cybernetwork.

It is interesting though to think about aftermath. If it is not an act of war,
one can compromise a country's economy without going directly against the
country itself.

~~~
marvin
Deliberate attacks against a country’s economy would probably be handled on a
case by case basis through diplomatic channels.

E.g. I’d argue that if China announced it would not repay its massive Treasury
debts to the US, that would basically be an act of war even if no aggression
was used, just due to the extreme destructive effects. And the reaction would
be similarly upsetting, although not quite on the level of an unprovoked,
large-scale military action.

But it quickly becomes a discussion of semantics at that point ;)

~~~
robocat
> E.g. I’d argue that if China announced it would not repay its massive
> Treasury debts to the US

Other way round: US has “borrowed” money from China

~~~
marvin
Ah, I had a suspicion I had my signs mixed up. Thanks for pointing that out.
Point stands though :)

------
hurrdurr2
No.

------
exabrial
No. Not an act of war: an act of embarrassment. Merck should be shamed.

Can we stop calling these things "cyber attacks" or "hacks"? I think "gross
negligence on applying even basic information security" and "a focus on
security theatrics" fit much better.

------
anon9001
It's really an act of not being prepared.

$1.7B? They should be able to destroy and rebuild their entire infrastructure
in less than a day.

Have tested backup and restore processes. Ideally have all users in VMs.

I don't see how this isn't entirely Merck's fault.

~~~
marvin
Not _entirely_ Merck's fault. It wouldn't have happened (at this time) if
Russia hadn't used their weaponized exploit.

There's also something to be said for being the first large-scale victim of a
category of catastrophe that is known to be a real threat, but hasn't happened
on this scale before.

But you do have a point. There were probably security or IT ops people who
warned about this, and if Merck's shareholders take the full hit,
organizations will properly feel the risk and adjust their backup & restore
processes accordingly. Not so if insurance pays the full damages.

------
EddieCPU
I don't believe it, NotPetya was generic ransomware that spread to a lot of
organizations including the NHS in England. This fiction, yet another example
of the neocons attempting to demonize the Russian Federation, no doubt to
distract from problems at home.

~~~
dvfjsdhgfv
You must be kidding, right? NotPetya was designed for Ukrainian targets and
brought the country to their knees (again) - what some Western companies like
Merck or Maersk experienced was just a tiny fraction of what the institutions
in Kiev went through.

Whether insurers like AIG can run away from their contractual obligations
playing the "cyber war" card is a different issue. Technically, it was a
cyberattack similar to many others, no matter if the authors were Kremlin-
employed or not.

------
filleokus
Something like a missile attack on a Samsung factory is so easy to investigate
and get conclusive evidence about what happened. Within hours or days we would
know with almost certainty if it was an act of war or something else
(accidental firing by the South Korea military or something...).

Consider something like Stuxnet, it took years before it was truly discovered
and attribution could be made, at least in way which would hold up in a
lawsuit about insurance claims.

------
RachelF
The ransomware wanted $300 in Bitcoin per computer encrypted.

This is a commercial extortion attempt, not an act of war. The insurers, as is
their wont don't want to pay out.

~~~
draugadrotten
Just as a thought experiment, if country X would shut down power in country Y,
asking for 100 billion in ransom to start power again. Would that be an act of
war, or just commercial extortion? It matters from a legal perspective, and
perhaps the laws of war have to be updated for cyber warfare.

~~~
brutt
Laws of war require to wear uniform, even for cyber soldiers. If they are not
wearing uniform when doing their informational attacks, masquerading as
civilians, then it's just act of war crime. There is no need to update the
law.

~~~
PeterisP
You're misinformed, laws of war do _not_ prohibit intentionally not wearing
uniforms, and the (many!) cases of war operations performed without uniform or
wearing enemy uniforms (sometimes on large unit scale, e.g. in WW2) were _not_
considered war crimes.

What may be the source of confusion is that the Geneva convention requires
wearing uniforms... to get the protections afforded by Geneva convention. If
your troops violate that requirement, then that means that if they're captured
without uniforms, the enemy is free to not fulfil the prisoner of war
treatment required by Geneva conventions, but summarily execute all of them as
spies; which was also often the practical consequence in WW2 if such troops
were cought. A parricular example may be the trial after WW2 of Otto Scorzeny
and other officers for Nazi troops wearing USA uniforms during Operation Greif
in Battle of Bulge, where they were acquitted on the claimed charges of war
crimes because these actions were considered by the court as 'legitimate ruse
of war'.

If I recall correctly, masquerading as Red Cross could be a war crime, there
are specific provisions for that, but the international treaties do not
prohibit to masquerade as civilians or enemy troops, or to perform all kinds
of other misinformation.

For most members in most militaries, it's a legal requirement _set by their
command_ to wear uniforms - but it's a requirement that the commanders can
alter if they deem it necessary.

~~~
mlb_hn
Masquerading as Red Cross can be a grave breach of Article 37 of the 1977
Additional Protocol I [0]

[0] [https://ihl-databases.icrc.org/ihl/WebART/470-750111](https://ihl-
databases.icrc.org/ihl/WebART/470-750111) (paragraph 3.f)

