Post-Malware Outbreak: Rip and Replace?Zombie Attack Lessons Learned from Germany's Bundestag
See Also: You've Got BEC!
German officials say they have stopped related data exfiltration - although they have not disclosed what information was stolen. But they are still struggling to contain the outbreak. They further report that they may need to replace some or all of the affected IT infrastructure, which includes 20,000 PCs as well as an unknown quantity of servers that may be helping the infections remain active. In the meantime, many systems have reportedly been taken offline, impacting productivity.
We constantly recommend to our clients that they need to integrate their cybersecurity incident response plans with their business continuity plans, in the event of a major security breach that results in large numbers of their key systems being unavailable.
Here are three key lessons that every organization should learn from the Bundestag breach:
After Zombie Infections, Forget Provenance
One of the more interesting potential explanations for how the attack progressed is that it started in the legislative office of German Chancellor Angela Merkel. Earlier this week, German newspaper Bild reported that investigators on June 12 discovered that the outbreak began by infecting five PCs in Merkel's office. In other words, her office may have been the Bundestag PC zombie army "ground zero" for attackers, and the true target.
On June 16, meanwhile, German software company G Data reported that since June 8, attackers - using a new variant of the Swatbanker banking Trojan - have been targeting the Bundestag network, although it is not clear if these attacks are tied to the May intrusion.
Those are interesting potential turns in the investigation. Many media outlets have also reported that German investigators believe that Russian intelligence operatives may have launched the attack, based on the malware that was used. But Peter Sommer, professor of cybersecurity and digital evidence at Britain's de Montfort and the Open Universities, tells me that too often, such discussions are "partly designed to distract attention from guilty system owners and managers."
Arguably, those IT owners and managers should have had the right processes, procedures and a breach-response plan in place to quickly lock down and remediate any successful hacks. Such plans apply regardless of whether the attack was launched by angry ex-employees, foreign spies or bored teenagers.
Prepare for Downtime, Disruptions
Regardless of how the infection began or spread - or who launched it - the Bundestag breach is a reminder that every organization needs to plan for the possibility that some or all of their PCs and other systems could be compromised via a data breach. If that happens, machines may need to be taken offline or impounded for repair or digital forensic investigations.
Too many organizations, however, fail to plan accordingly. "We constantly recommend to our clients that they need to integrate their cybersecurity incident response plans with their business continuity plans, in the event of a major security breach that results in large numbers of their key systems being unavailable," Brian Honan, a Dublin-based information security consultant and Europol cybersecurity adviser, tells me. "We also recommend making the infrastructure as resilient as possible to firstly reduce the impact of any potential breaches, but also to ensure the business can continue in the event of a major breach."
Can You Handle Damaging Malware?
One lesson learned from the epic 2014 Sony Pictures Entertainment breach was that attackers - although they have rarely done so to date - can cause serious damage by deploying wiper malware against a target, leaving infected systems "bricked" and unusable at attackers' command (see 'Wiper' Malware: What You Need to Know). Indeed, Sony was forced to replace thousands of PCs that were bricked by having their BIOS altered, and earlier this year reported that in total, "investigation and remediation costs" for the breach were likely to reach $35 million.
Now, Bundestag investigators have indicated that to control their Trojan outbreak, they may be forced to replace at least some of their IT infrastructure, although they have not said that wiper malware was used, or data deleted.
"Without knowing exactly what type of malware the IT team of the Bundestag is dealing with, it is hard - at a distance - to determine if this is overkill or not," says Honan, who also heads Ireland's computer emergency response team. "In the majority of cases, rebuilding systems would be the normal approach, rather than replacing them."
But Honan notes that after struggling to contain the outbreak for more than a month, and crunching the breach-response numbers - not to mention the breach's ongoing impact on productivity - the Bundestag's investigators may have settled on replacement as the most cost-effective option.
"The malware in this case may be firmware or BIOS-based, or indeed it may be a simple case of economics that it is more cost-effective to replace the systems rather than rebuilding them, in particular if the IT systems needed to be upgrade soon, in any case," he says. "What I hope has happened is that a thorough analysis of the malware has been conducted, its capabilities assessed and a risk-based decision has been made as what is the best way to proceed."
Focus on Response, Resilience
Going forward, the Bundestag - and all organization that rely on IT systems - need to take a good, hard look at their technology infrastructure. Indeed, the breach highlights not just the perils of a potential intelligence agency hack attack, but also the fallout from lack of forward planning about how to handle breaches, mitigate intrusions and quickly get up and running again afterwards.