Chapter three 
Case studies

On 27 June 2017, one of the year’s most disruptive cyber attacks began to wreak havoc across Ukraine. ATMs stopped working after several banks, including the National Bank of Ukraine and state savings bank Oschadbank, confirmed they had suffered a cyber attack. Kyiv’s Boryspil Airport experienced gridlock when its computer systems went down. Kyivenergo, the capital’s energy generating company, reported it had to turn off all its computers because of the attack. Scientists monitoring the radiation levels at Chernobyl had to move to manual processes after their computers failed. Government agencies, telecommunications companies, transport operators and businesses across Ukraine were affected.

While Ukraine was the epicentre of the attack, the damage was not confined to one country. The malware known as NotPetya wormed its way through networks across Europe and the globe. A number of large multinationals were significantly affected by the attack, including advertising conglomerate WPP, global shipping firm AP Moller-Maersk, healthcare and pharmaceutical giant Merck, snack food company Mondelez, consumer group Reckitt Benckiser, FedEx division TNT and law firm DLA Piper.

The NotPetya attack masqueraded as ransomware. Infected endpoints displayed a menacing black screen, familiar to anyone who has suffered this type of attack, informing the user that their files had been encrypted and including a demand for payment to a bitcoin wallet. Victims quickly discovered the ransom demands to decrypt files were a false flag designed to misdirect attribution. Leaving them with two options: to rebuild affected systems from backups if available, or to wipe them and start again.

Multinationals brought to their knees
The impact on affected companies was swift. The malware locked down files and systems indiscriminately – front line systems, industrial control systems and back office functions, such as email and finance, were all affected. Many multinationals had to resort to manual processes.
Maersk ran the world’s largest container shipping operation for more than a week using paper processes. Staff at TNT, which is owned by global logistics provider FedEx, were reduced to using manual processes for pick-up, sorting and delivery. Parcels reportedly piled up to the ceiling in TNT depots as staff struggled to work through the backlog. Merck and Reckitt Benkiser had to halt production of drugs and consumer goods after the malware infiltrated their manufacturing facilities. Merck announced it would be able to maintain continuous supply of life-saving drugs throughout the crisis, but has since been asked to provide evidence to a Congressional committee to help understand cyber threats to the healthcare sector in the US and the potential impacts of these attacks on critical medical supplies.

Companies reported their staff had to be resourceful to deal with significant disruptions to email communications. TNT employees resorted to using WhatsApp internally after their email system went down, and social media platforms such as Facebook and Twitter to communicate with clients. DLA Piper communicated with staff via text messages. Martin Sorrell, CEO of WPP, said their staff went “back to pen and paper” while they were dealing with the disruption.

Some companies were able to restore systems a few days after the attack. Others were back online after a week. But some companies experienced extended delays, leading them to declare to the market in the weeks that followed the attack that they did not know when the issue would be fully resolved. Companies have since disclosed that flow-on effects of the attack on sales, supply chain and invoicing lingered for months. In the worst cases, it was admitted that some information and systems would never be recovered.

Financial impacts of a cyber attack
When Control Risks speaks to clients about the impact of a cyber attack, we identify four broad impacts: financial, reputational, operational and the impact on people. It can be difficult to quantify the losses of cyber attacks because most organisations who fall victim do not publicly discuss the broader impacts.

In the case of the NotPetya attack, a number of listed companies experienced material losses and were compelled to disclose to the market the ongoing effects of this attack. The financial losses were significant. Some multinationals have estimated the attack cost them approximately US$300 million. The losses initially were a result of reduced productivity and lost opportunities, as well as the costs of restoring and installing enhanced systems in the wake of the attack. Most of the organisations hit have also increased investments in additional measures to prevent future attacks.

The loss of business-critical data and systems had secondary effects such as the inability to invoice properly due to missing data. But by far the most significant impact was on reputation. Months after the attack companies such as Maersk, Merck, Reckitt Benkiser and Fedex disclosed that sales continued to be affected. FedEx provisioned significant funds to cover the loss of customers and failure to attract new customers, and incentives to restore confidence and maintain business relationships.

Enlarge

Who was responsible for this destructive attack?
Although attribution of attacks is difficult, Control Risks’ Cyber Threat Intelligence team believes NotPetya was a nation-state campaign masquerading as a criminal attack, likely of Russian origin. That said, many Russian organisations also fell victim to this attack and Moscow has repeatedly denied responsibility.

Russia is believed to have perpetrated a number of cyber attacks on Ukraine over the last two years. In late 2015, Russian special services allegedly attempted to hack Ukraine’s power network by inserting malware on the IT network of regional power companies, leaving hundreds of thousands of residents in the dark. This was the first in a series of attacks against Ukrainian critical national infrastructure in the energy, mining and transport sectors. Control Risks’ Cyber Threat Intelligence team warned clients in early 2017 that Russia and Ukraine are likely to escalate their cyber offensive operations as a result of escalating tensions in Ukraine’s disputed eastern regions of Donetsk and Luhansk.

The goal of the threat actors behind NotPetya appeared to be to destabilise business in Ukraine by releasing malware that spread fast and caused maximum damage. The attack was so damaging because the malware encrypted and locked entire hard drives – rather than individual files – in a way that appeared to be irreversible. It took advantage of an exploit in Microsoft Windows dubbed ‘Eternal Blue’ that had been leaked from the USA’s National Security Agency. Microsoft released a patch for this exploit in March 2017, but many companies were not up to date with their patching regimes, and so were vulnerable to both the WannaCry ransomware attack, which caused global disruption in May, and NotPetya. The initial infection vector was through an update released by Ukrainian accounting software company M.E.Doc, which is used by 80% of Ukrainian companies. M.E.Doc was found to have very lax cyber security, which allowed hackers to hijack the update process and embed it with worming malware that then spread laterally across victims’ networks.

Control Risks’ cyber security experts believe this attack is a sign of things to come. Nation states such as Russia, North Korea, Iran, the United Kingdom, the USA and others are strengthening their cyber arsenal and it is difficult to imagine any future conflict that does not have an element of cyber warfare. This is bad news for organisations, which will be collateral damage in these skirmishes.

The message for organisations is: if you are not already undertaking a co-ordinated cyber security programme across your organisation, you should be, because the chance of having your business disrupted by these types of attacks is increasing every day.

On August 12, 2015, two massive explosions rocked the north-east Chinese port city of Tianjin, home to 15 million people. They left behind an enormous crater and caused an inferno that damaged and destroyed warehouses, containers and thousands of cars. The explosions devastated a vast area of the port – at the time the tenth largest and sixth busiest in the world.

The warehouse at the centre of the blast stored hundreds of tons of hazardous chemicals and sodium cyanide was found as far as 1km from the site. Hundreds of local residents were evacuated and a 3km exclusion zone was imposed. The death toll was eventually counted at 173, with more than 700 injured.

Crawford Global Technical Services (GTS) adjusters were on the scene shortly after the incident occurred and continue to handle claims to this day for many multinational corporate clients and insurers from both the Chinese and Japanese market. The adjusters were able to get a reasonable feel for the extent of damage sustained from outside the exclusion zone, which included many uninsured private apartment buildings.

A huge challenge came from multinational and local manufacturing facilities within the five-mile blast band. They suffered damage from the explosions’ shock-waves, such as broken windows and distortion to external walls, roof panels and other structural elements. Escape of water claims occurred from ruptured sprinkler systems, which production machinery was severely shaken, requiring repair/recalibration.

However, with factory closures and supply chain disruption caused by environmental safety concerns relating to toxic gases, it was the business interruption issues that would have the most lasting effects.

Noxious chemicals and restricted access
The adjusters were allowed inside the exclusion zone by August 25. Risk managers of Crawford & Company’s multinational accounts had been contacted immediately after the explosion happened, and they were briefed regarding the situation and their potential exposures. Several of them had cargo passing through the port (including around 10,000 new vehicles) and our inspections revealed what, for many, became a total loss.

The warehouse devastated by the explosions was eventually discovered to have contained “over 40 kinds of hazardous chemicals”, according to police spokespeople, including sodium cyanide in quantities well above what was permitted. In addition, ammonium and potassium nitrate were present in large quantities, with investigators concluding that this, in combination with the highly volatile gas acetylene, may have caused the detonation.

The Chinese authorities have since conducted an investigation that has resulted in significant tightening of the regulations around hazardous materials. The result has been a slow down for businesses using the port due to strict licensing issues, meaning any business involved in chemicals will now have to jump through considerably more hoops than before.

Licences have had to be re-applied for under a much stricter regime, which from an operational standpoint has created a bottleneck for businesses importing raw materials or using the port; they have had to find workaround solutions that are often much slower or more expensive.

Different opinions
Local laws involve a fronting insurer in China, which means that despite the fact that there is very little retention in the local market, there is an assumption that the claim must be adjusted based on a local understanding, even if reinsurers or captives have a different opinion about how the policy should operate.

A good example of how this can create problems can be seen with one claim in which a company was not covered for business interruption; instead, it had an endorsement for increased costs of working. It wasn’t covered for business losses, but it was covered for costs to mitigate any potential losses. This was always the intention of the local Chinese insurers, which said that you can’t have increased costs of working without normal gross profit cover. This led to the conclusion there shouldn’t be any payment made if the loss had already been mitigated by increased costs of working cover.

Another example was an organisation with raw materials on the dock that were destroyed. It didn’t have any physical damage at its manufacturing facility, but it couldn’t import materials without sourcing from an alternative port; this cost a lot of money. Because the port then didn’t reopen, the organisation had to continue incurring this additional cost. After the replacement of the damaged stock, there was no cover for the continuation of that supply from the alternative port. There was no ‘damage to property’ trigger in the loss, and while the organisation believed it had plenty of increased cost of working cover, because the loss didn’t flow from damage to its insured property, it wasn’t entitled to a payment.

The explosions that occurred in Tianjin are likely to constitute one of the largest insured man-made losses to date in Asia. It will certainly be considered one of the most complex insurance and reinsurance losses in recent history. It is probably a fair bet that the operation of Tianjin will never return to its full pre-loss capacity because of the restrictions placed on what can be moved and stored there. This could cause overreaching issues for manufacturers in the area, changing their business models forever.