Hans Rehder nervously adjusts his tie as he steps into the Hotel Adria lobby, eyes scanning for his contact. Did he want to be here? He doesn't know, but he has a wife, four kids, and a pile of mounting debt that he can't repay. Simon set him up with this meeting and the man offers him money. All he has to do is steal secrets from Telefunken, his employer. His first payment is 500 West German marks - easy money. Hans doesn't know it when he first meets Simon's contact, but he has just signed up to be a corporate spy for the Stasi. He goes on to steal from Telefunken for the next 28 years … and he's never caught.
State-backed corporate espionage has been around since the dawn of business. By the 1950s, the time of Hans Rehder, it was already a well-honed practice. CIA, KGB, Stasi, they were all masters of their craft.
But now it's 2021. The Cold War is over and we all like to believe that we're not at risk of such 20th century subterfuge. But the reality is, since the first half of the 20th century traditional 'war' has moved increasingly into the cyber domain. Espionage is now cyber terrorism, and as we all grow increasingly reliant on the internet to do business, our companies are more at risk than ever before. A modern Hans Rehder doesn't even have to leave his home, and can do significantly more harm.
The SolarWinds hack is a stark reminder of the world's vulnerability to state-based cyber terrorism. But as a German company, should you care about a US company's losses? And if so, what should you do about it?
Summarising the hack
SolarWinds was a malicious and highly sophisticated digital supply chain hack that has impacted nearly 20,000 companies around the globe. While 80% are based in the US, there are many overseas - even in Germany, as we'll discuss more below.
In 2019, cyber attackers believed to be a part of the group 'Cozy Bear' backed by the Russian FSB, snuck malicious code into SolarWinds' Orion system. Dubbed 'Sunspot', it was used as a practice run for the main attack, and helped to inject their trojan into a major Orion update (this new malware being dubbed 'Sunburst').
Of course, when the seemingly normal patch went out to customers in 2020, it planted the malware in tens of thousands of systems around the globe, including major organizations such as Microsoft, FireEye and even the US Department of Energy's National Nuclear Security Administration. Two more pieces of malware were also then utilized - Teardrop and Raindrop - which helped further compromise targets of interest with customized Cobalt Strike beacons.
Identifying the scale of the attack
At time of writing, the scale of the SolarWinds hack is still unfolding - this was a meticulously planned attack that went unnoticed for months. We may never know the true extent of the damage, and what the hackers stole or damaged.
Terrorist attacks are designed to cause harm, to undermine order, sow chaos and interrupt infrastructure. This distinguishes terror from regular crime, in that the target is not to cause harm to an individual or a particular group, but to fundamentally damage the constitutional order of things.
The SolarWinds attack far eclipses the old days of Cold War corporate espionage. It was an act of modern cyber terror, not designed merely to ruin SolarWinds' stocks or harm its staff, but to compromise tens of thousands of systems - including sensitive US government infrastructure. SolarWinds may have been the original company to be undermined, but its customers had customers, who then had customers of their own. And so the damage spread.
Cyber attacks from state-backed operatives have become increasingly distressing. 2017 was the first year we saw how truly devastating they can be - that was the year of WannaCry and Petya, then NotPetya, the self-replicating malware unleashed by Russia on Ukraine which accidentally took down the world's biggest shipping company, Maersk (among many other companies, too). SolarWinds is just the latest event.
According to the Microsoft Digital Defence Report, state-backed attacks are on the rise and their actors are using highly sophisticated ransomware, credential harvesting and VPN exploits to infiltrate and compromise major targets. And these targets don't have to be government agencies; NGOs, professional services, international organizations, IT firms and higher education are all the top sectors at risk, according to the report.
Read more: "Is German cyber security ready for 2021?"
As we mentioned, about 80% of the companies impacted by SolarWinds are based in the US, so are most German companies then safe?
No, and here's why.
We know that some major German companies were affected, including Gillette Germany, Siemens and Deutsche Telekom. It's likely that many more have also been infected, either directly or via a third party. For example, Microsoft Azure was one-such American victim with many customers in Germany. Indeed, the World Economic Forum found that Germany is the fourth-most hacked country in the world, behind the US, UK and India.
But it gets more alarming. With simple techniques such as guessing easy passwords and exploiting known cloud configuration issues with Microsoft Azure, hackers have been able to infect thousands of customers not actually linked to SolarWinds. In fact, some reports say that as many as 30% of victims were not related to the Orion update.
In 2021, the reality we have to accept is that the digital supply chain is a worldwide, interconnected web of companies and just because your organization is based in a nation far away from a hacking victim does not mean you are isolated.
Due to our close economic ties and long history with Russia, Germany is at risk of becoming collateral in any counter strike operation. Indeed, the Russian government is already warning its organizations that the US may return fire with a hack of its own.
Many companies in Germany are, therefore, either directly or indirectly linked to Russian systems - leaving them potentially exposed.
If you believe your company has been impacted by the SolarWinds hack, either as a direct customer or as collateral from someone else, you need to act now. The longer you wait, the more you expose your business to damage.
There are many changes you can make over time to improve your resilience to potential future state-sponsored attacks (which are inevitable), but you can make progress swiftly even without third-party help by following these steps:
Ignorance is not bliss when it comes to risk exposure. While many companies treat risk, compliance and governance (all vital in identifying terror threats) as mere boxes to tick, you can't be protected from what you don't understand and cannot identify.
Bring together your key technology and business leaders and agree on the methodology or security control catalogue that reflects your organizational needs. If you do not have security expertise in house, you will need to find a third party such as dig8ital to help you. Modern expertise here is critical to success.
When you understand your risk exposure and have modelled for threats, you can then state your risk appetite and narrow down to the things you must improve across the business.
Additionally, if your governance, risk and compliance people are separated into siloed teams, you need to make sure they are talking to each other and working to an aligned plan or else gaps may form between these key areas.
Bonus step: Upper management, including the board, will need to be aware of and involved in these changes - but you can't just dump a pile of tech jargon on their laps. That's a quick way to get ignored. Find common ground with other leaders and help them understand the importance of security compliance. Use a language that they understand, such as risk exposure and organizational impacts, and back it up with hard data.
Read more: "Do you know your cyber risk appetite?"
Data is the lifeblood of your business, and cyber terrorists know this. Having a poor understanding of your information assets could leave them vulnerable to attack. An important thing to keep in mind here is that just because your organization has a poor register of its data doesn't mean hackers do too. They may well know more about you than you do.
Ask yourself these questions to guide you towards better transparency:
Risk management can often be seen as just a department, an arm of the company that isn't as important as others and therefore requires far less attention. However, risk needs to be managed end to end if it is to be successful, and the modern company is exposed to a lot of risks.
End-to-end risk management involves the thorough identification, treatment and follow up of risks. They can't just be stored in a risk register and forgotten. After all, what is the benefit of the data if it is not utilized to make strong security policies?
Bonus tip: Focus on utilizing risk management processes backed by ISO 27001/27002 for guidance on the subject.
Read more: "dig8ital's cyber risk services"
At this point in the process you have either already assessed your current partners or are comfortable that they do not expose you to the SolarWinds hack. Now you need to establish new processes that assess and monitor your third-parties on a regular basis.
As a part of your discussions on risk and compliance, develop also a third-party risk assessment including these steps:
As we mentioned, modern security expertise is an absolute must-have when it comes to fighting modern cyber threats. Security is a constantly evolving landscape and keeping up with the changes is a full-time job all of its own.
Most organizations simply don't have this expertise in-house and that's OK. You're the experts in what you do, and you can turn to us for the rest - we're the experts in what we do.
To learn more about how we might be able to help your company defend itself against the threat of cyber terrorism, contact us today for a free maturity consultation