But the damage was not limited to Maersk — NotPetya infected companies around the world, from Germany to the United States to Tasmania, at blinding speed. It took just 45 seconds for NotPetya to bring down the network of a large Ukrainian bank. A portion of one major Ukrainian transit hub was fully infected in 16 seconds. Practically every federal agency in Ukraine was brought to a standstill. The total damage was estimated at more than $10 billion. Attacks in the cloud Destructive attacks are by no means limited to on-premises IT environments, though not all of the incidents in the cloud to date involve malware with creative monikers. For instance, in 2014, IaaS provider Code Spaces went out of business after suffering a multistage attack on its servers; most of the company’s data, backups, machine configurations and offsite backups were partially or completely deleted. More recently, in February of 2019, hackers breached email provider VFEmail and formatted all the disks on every file and backup server in its U.S. infrastructure, destroying all the email data for its U.S. customers. The attackers also went after the company’s IT resources in the Netherlands but were caught in the act, which enabled the company to salvage some of its backup data. Still, the attack erased virtually the company’s entire infrastructure within just a few hours. The company expected to fold but it is still clinging to life. THE MOTIVES BEHIND DESTRUCTIVE ATTACKS Traditional attacks are typically motivated by financial reasons — for example, getting payment in exchange for the decryption key in a ransomware attack, obtaining PII or PHI that can be used for identity theft or sold on the black market, or harvesting user credentials that can be used in future attacks that yield financial gain. Destructive attacks generally have an entirely different set of motivations, including the following: • Political motives — Hacking by nation states is increasing. For example, experts believe that Stuxnet was developed jointly by the U.S. and Israel to disrupt 3 Iran’s nuclear program, and that NotPetya was a politically motivated attack against Ukraine. Some believe the 2012 Shamoon attack was part of Iran’s retaliation for U.S. involvement in Stuxnet. Statesponsored hackers are typically both highly skilled and well funded, so their attacks can be particularly devastating. • Social motives — Some attacks are rooted in a desire for social change. Often dubbed “hacktivists,” these groups often engineer denial of service (DoS) attacks against organizations they believe oppose their ideologies. For example, the hacktivist group Anonymous is perhaps best known for its 2010 DoS campaign that brought down PayPal.com and disrupted the sites of Visa and MasterCard in retaliation for those companies cutting off service to Wikileaks as required by the U.S. government. • Revenge — At the opposite end of the spectrum is the disgruntled insider. For example, in early 2002, Roger Duronio, an IT admin at UBS Paine Webber, allegedly crafted a logic bomb and deployed it to thousands of systems using standard Unix admin tools. Then he quit and walked straight to his broker’s office to place $21K in orders shorting UBS/PW stock. When the logic bomb went off a few weeks later, it brought down some 2,000 servers and deleted all the files on them. The damage was so severe that employees had to resort to pen and paper to conduct trades and other business. The company spent $3 million in consulting fees alone to get systems restored. Duronio’s motivation? He was apparently disappointed with his bonus, which was $18K short of the $50K he was expecting. In a Windows environment, it’s arguably even easier for a disgruntled privileged user to wreak havoc — all they have to do it take down Active Directory. If your AD is down, your entire network is down, even if there’s nothing wrong with any of your servers or applications. • Smoke screen — Increasingly often, hackers pair an attack designed to steal information with a destructive attack in order to cover their tracks. The destructive attack can hamper forensic investigations, making it difficult to identify the attackers, thereby preventing prosecution and protecting their modus operandi so they can continue using the same techniques in the future. For example, the Olympic Destroyer malware paralyzed IT systems ahead of the official opening ceremonies for the 2018 Winter Olympics in South Korea. But Olympic Destroyer covered its tracks so effectively that when it NotPetya brought down the network of a large Ukrainian bank in just 45 seconds. The total damage worldwide from the 2017 attack is estimated at more than $10 billion. resurfaced later that year, targeting both financial organizations and biological and chemical threat prevention laboratories, researchers couldn’t be sure whether it was being used by the same group or other groups with different interests. • Collateral damage — Not all victims of destructive attacks are specifically targeted; some are merely collateral damage. For example, the architects of the NotPetya attack were clearly targeting Ukraine — estimates indicate that 80% of all infections were in that country — but companies around the world, including Maersk, suffered staggering damage. METHODOLOGY As we have seen, destructive attacks take a variety of shapes. Some involve malware or viruses, while others rely on brute force. Some try to erase data, while others seek to cause physical damage. Let’s dig a little deeper into how they unfold. Any organization can be the target of a destructive attack — or simply collateral damage from an attack targeting somebody else. Initial access Usually, the first step in an attack is getting access to your network. You’re probably familiar with many of the techniques, such as those listed below. It’s important to emphasize that destructive attacks do not target just computers, such as workstations and servers; your attack surface also includes your IoT devices, routers and more. • Phishing — Shamoon entered Saudi Aramco’s network when an employee on the Information Technology team opened a malicious phishing email. • Backdoor — A backdoor in the update software for a third-party business software solution enabled attackers to release NotPetya at Maersk and other organizations around the globe. • Infected USB device — Since the Iranian nuclear facilities are not connected to the internet, Stuxnet had to be introduced through a physical USB device, either deliberately or accidentally. • Software vulnerabilities — One technique used in the NotPetya attack, as well as in the WannaCry ransomware attack in 2017, was a penetration tool known as EternalBlue, created by the U.S. National Security Agency but leaked in a disastrous breach. EternalBlue takes advantage of a vulnerability in a particular Windows protocol, allowing hackers free rein to remotely run their own code on any unpatched machine. • Wi-fi or transmitter hijacking — In 2015, the makers of the Jeep Cherokee were forced to recall 1.4 million vehicles after researchers demonstrated that they could remotely hijack the car’s systems over the internet; attackers could potentially take control of a vehicle’s door locks, brakes, engine or autonomous driving features. Similarly, the FDA confirmed that certain implantable cardiac devices have vulnerabilities that could allow a hacker to deplete the battery or administer incorrect pacing or shocks. • Vulnerabilities in IoT devices — In October of 2016, the largest DDoS attack ever took down huge portions of the internet, including Twitter, Netflix, Reddit and CNN, by hitting a service