Thursday, June 29, 2017

If It Is True That The Ultimate Goal Of The "GoldenEye" Malware Was Data Destruction...

Please accept -- at the head -- that all of this is just my conjecture, based on published reports.

I am officially in touch with no one inside Merck. [But I am relying here on some cybersecurity experts I've trusted, since the early days of Scooter Libby (2003 to 2004). All the way back to the founding of Netroots Nation, in fact.]

So, I can say with some confidence that Marcy Wheeler is likely correct in her slyly implied conjecture -- that if Shadow Brokers affiliated hackers wanted to create maximum political fallout in the Ukraine, but not really collect any cash -- this might be nearly the best way to make such a statement, and immediately prior to the holiday commemorating the 21st Anniversary of the adoption of the independent Ukraine Constitution.

All of this also leads us much more convincingly to the conclusion that Merck, proper, was not a primary target.

Kenilworth was, unfortunately, just in the (largely unintended) damage path -- because it had (presumably) shared ordinary tax on sales files with government agencies in the Ukraine (as it is required to, under local law) -- in the five days prior to Tuesday. From there, it likely spread across the Merck IT backbone, here in the US. Perhaps even to (and this is purely conjecture!) the Pennsylvania hospitals. Those hospitals now affected may have "caught" the malware, by sharing files with Merck -- again, not an unusual occurrence (and those hospitals too likely weren't up to date with their Windows patches -- so some contributory negligence there, to be sure).

But back to the main narrative: let us listen to my go-to expert here -- EmptyWheel, under the keyboard of Marcy Wheeler, here:

. . . .It will take some time to understand what the attack really is, particularly given the degree to which it appears to masquerade as things it’s not.

But for the moment, I want to consider how a similar attack might be used as a counter to sanction[ed] regimes. As far as we currently know, this attack made doing business with Ukraine a very expensive business proposition, as doing business with, say, some oligarchs in Russia is made costly for those subject to US sanctions because [they] have to bank in the US. The attack served as a self-executing investigative method to identify just who had business tax dealing[s] in the Ukraine, and imposed an immediate cost. So whether or not that’s what this is, such an attack could be used to counteract sanctions imposed by the international banking community. . . .

Again, I’m not saying that’s what NotPetya [or GoldenEye] is. I am saying that if you wanted to design a counter to financial sanctions using malware, NotPetya [or GoldenEye] is close to what it’d look like. . . .

Of course, had Kenilworth (and even more directly, MSD Ukraine, LLC) been up to date on all their Windows patches, and periodic security updates, enterprise wide -- the company likely would have escaped this malady entirely. That is an unfortunate truth Mr. Frazier will need to address, with the public shareholders -- in the coming months.

But it is no reason to pull out of the Ukraine, nor to assume that no other similar attacks will be attempted (likely by Russian state actors). Or so I will guess.

Onward, with a grin -- with a barbeque, and fireworks -- with my grown California son (and girlfriend) in town (as well as my youngest), over the long holiday weekend! [May be scarce -- until Wednesday next, now.] Keep it spinning in only good karma, one and all. . . .


No comments: