Part of series: Security Lancaster Seminar Series

Shipping Containers, Russian Criminals, American Spooks and Nuclear Weapons

An intelligence-led case study of a cyber breach


~700 words


Last modified: May 2nd, 12,018 HE

Phil Warren, Deputy Chief Information Security Officer at the Bank of England, came to the University of Lancaster to give a presentation about …the NotPetya cyber breach, the impact of these attacks and what we can learn. Falling on the same week as the teaching for my Cybercrime module, we all headed along. The talk was held under the Chatham House rule.

The Bank of England’s interest in cyber security only began with the introduction of Mark Carney as Governor in 2013. He brought in a new approach aimed at modernising the institution, which had beforehand acted more like an academic institution than a bank. He brought in Charlotte Hogg as the first Chief Operating Officer, who realised the cyber security risks faced by the Bank. It had …walked into becoming a big data organisation, without really thinking about security. The first annual test of the Bank’s cyber security readiness made for grim reading, although the Bank still outpaced many of its peers.

With global Internet traffic predicted by Cisco to reach 3.3 ZB by 2021, the start of the fourth industrial revolution has seen the growth of a bigger and more complicated attack surface than ever before, along with a concentration of risk into a few small organisations. The trick to defending a network is, apparently, to not try to defend it all.

We then moved on to the case study of the NotPetya malware. The story of NotPetya begins with the 2016 leaks of classified NSA hacking tools and zero-day exports. One such exploit—EternalBlue—found its way onto the Internet and was later used by (allegedly) North Korea, criminals and the Russian state. The first case was the 2017 WannaCry ransomware attack that so impacted the NHS. Some have accused North Korea of developing and releasing the malware in order to raise money for the building of their nuclear capacity. WannaCry had a global impact and demonstrated cyber poverty lines between those who could afford (or were able) to patch their systems, i.e. not the NHS.

Like, potentially, the North Koreans, criminal use of the EternalBlue exploit has been similarly motivated by monetary concerns. The Russian state’s motivation, on the other hand, is to input on their foreign policy goals. It was implemented in the form of NotPetya and released into Ukraine via the automatic update function of a popular piece of accountancy software. 80 % of the impact was contained within Ukraine.

The issue here, from a risk management perspective, is that we are firmly in the realm of Rumsfeldian unknown unknowns. For example, the cost to Maersk (who handle some 20 % of the world’s trade) was between $200–300 m, and they had to completely destroy and rebuild their IT infrastructure. What chance would the CEO of Maersk have of knowing about the leak of this exploit, that it had been released online and weaponised, that it had ended up in the hands of Russia, they they would use it in a war they were fighting in Ukraine and that it would impact your operations? To their credit, however, Maersk’s incident response was apparently very good. They were also praised for being open about their responses in the aftermath.

The Bank of England’s regulatory role can inhibit frank discussion about security issues with industry, through fear of inviting sanctions. In response to this, they introduced the CBEST scheme to target tests at the core of the financial sector. The Bank found key themes that financial institutions should consider when assessing risk, e.g. cultural changes, dependence on third-party software, etc. The impact of CBEST was that nervous IT teams within these organisations realised that a Bank of England-accredited stamp let them get on with their jobs and that they were soon supportive of it.

We then moved on to the Bank’s Project STRIDER, …which aims to increase collaboration across the sector for cyber incident response. The project acts as a sector diagnostic, and has identified a need for a standing cyber response capability, along with the existence of an appetite for change within industry. We finished by briefly covering UK Finance and KPMG’s 2018 Staying Ahead of Cyber Crime.