On June 27, 2017, malware was activated on multiple government and financial systems in Ukraine. First thought to be Petya ransomware, it turned out to be a weaponized version called NotPetya that prevented users from accessing their hard drives and offered no way of recovery, effectively destroying the data. Directly aimed at Ukraine to severely disrupt support IT infrastructure, it rapidly spread to other connected systems, which was likely part of the intended disruption. Within a day, more than 1,500 businesses, airports, power grids, and financial management systems were damaged.
"Asymmetrical warfare is waging undeclared war by means of proxies, independent agents, and professionals so that there is no clear line of responsibility or plausible deniability"
Global data integration means the destruction did not stop at national borders. By the second day, international companies, including Mondelez, Moller-Maersk, TNT Express, Saint-Gobain construction, U.K. and U.S. hospitals, a global marketing firm, and a pharmaceutical company, were infected. Most companies cut access to common communication trunks to isolate themselves from infection, but that meant cutting themselves off from business as well. The infected organizations spent weeks in test-and-recovery mode, further limiting their return to productivity.
Retailers live with daily cyberattacks, such as spear-phishing, distributed denial-of-service attacks (DDoS), and active and passive monitor taps within supposedly secure systems. Those in the c-suite understand that a breach can cost them their leadership positions. Even large and previously immune social media companies have discovered the financial impact of sharing users’ data without their consent. But it is decidedly harder to measure the collateral damage to processes and procedures that is a byproduct of this new form of warfare.
“Asymmetrical warfare” is waging undeclared war by means of proxies, independent agents, and professionals so that there is no clear line of responsibility or “plausible deniability.” Even though warfare is as old as nations, the emergence of digital warfare is a 21st-century occurrence. Attacking IT systems and infrastructure offers a far higher ROI with considerably less risk to the original aggressor. Moving armies, engineers, or equipment is expensive. Software is decidedly cheaper and already has an extensive landscape dedicated to concealing identities while ensuring results.
This landscape is a competitive matrix of experts for hire, mostly based in Russia and Eastern Europe. The early internet marketing (via spam) of gray market pharmaceuticals created a loose infrastructure of specialists. One group found and stored working email addresses. Another managed payment. Still another managed messaging, while another captured computers for use and another delivered the product. Their success drove others to improve their craft. It also attracted the funding and attention of criminal gangs tied to governments in the 1990s. A gray cooperative of profitable mischief makers — the Spam Nation of coders, finance, gangs, and often compromised security agencies — emerged.
At the same time, nations started leveraging the internet and digital devices to build espionage capabilities. Implementing keystroke readers, monitoring communications, and tracking users were the basics. The big leap came in 2010 with Stuxnet, a software worm designed to damage Iran’s nuclear program. Its success led to an international arms race to create better, more effective, and harder-to-detect code. The Spam Nation was often the ideal conduit to expand into the serious criminal activities of stealing financial information and selling credit data.
Ransomware emerged around 2014 for criminals to drive illegal income. However, due to lack of predictable results and ransom payments, it was not very cost-effective. That changed in 2016 when the U.S. National Security Agency (NSA) lost control of a suite of software tools. The NSA leak combined with an effective Stuxnet reverse-coding made ransomware far easier to build and execute on a large scale. But it also meant that governments could outsource coding and execution of weapons to relatively unknown groups. Resulting attacks were not as narrowly targeted as they were with NotPetya, which is the code developed from that NSA leak.
It is difficult to overstate how integrated retail is today, resulting in reduced costs and improved customer engagement, inventory, and financial technology, all of which are competitive requirements. Retailers invest to protect the integrity of their systems from hackers, black mail, and wandering viruses. They consider data and process hygiene to be essential to integrating with third parties. Risk mitigation is a mature planning tool for all of retail, including IT. However, asymmetrical warfare is not part of that planning, which makes future collateral damage to a retailer likely. IT must be more aware of new threats not aimed at the industry, but that can easily damage it. This means it must have a high degree of threat awareness and work with security firms that specialize in identifying these threats in real time. And it means reassessing current preventive tools that have performed well to date, but that can often be coded into weapons as a means of stealth access.