evievee09 - Fotolia

NotPetya attack cost up to £15m, says UK ad agency WPP

Advertising giant was one of many companies hit in June 2017 by malware distributed through Ukrainian accounting software

UK multinational advertising and PR firm WPP is one of many companies counting the cost of a destructive cyber attack in the second quarter of 2017.

The NotPetya attack appears to have targeted mainly organisations in Ukraine, including the central bank, the Ukrenego electricity supplier, the Chernobyl nuclear power plant, and airport and metro services throughout the country.

NotPetya followed the WannaCry ransomware attacks in May 2017 and used some of the same leaked software exploits to spread, such as the EternalBlue Microsoft server message block (SMB) protocol exploit, but most security experts agree that NotPetya’s purpose appears to have been purely destructive, aimed at disrupting unpatched business systems, not at collecting ransom.

The malware was distributed through Ukrainian accounting software called MeDoc, used for filing tax returns in Ukraine. The MeDoc software contained backdoors into the networks of users of the software, which the malware used to enter via the software’s automatic update system.

However, companies outside the Ukraine were also affected, including London-headquartered WPP, US-based pharmaceutical company Merck, multinational law firm DLA Piper, Russian oil company Rosneft, Netherlands-based shipping company TNT and French construction materials company Saint-Gobain.

Danish transport and shipping giant AP Moller–Maersk is believed to have been one of the hardest hit, with a number of its IT systems forced to shut down across multiple sites and selected business units, and email systems also hit.

The attack also caused congestion at some of the 76 ports run by Maersk’s port operator arm, APM Terminals, including in Denmark, India, Spain, the US and the Netherlands.

In August, the company’s interim financial report for the second quarter of 2017 indicated that the financial impact of the attack was estimated at $200m to $300m (£222m).

The UK’s WPP got off relatively lightly, with the NotPetya attack reportedly costing it between £10m and £15m before insurance.

Although the whole company was not affected, some parts were severely hit, and remediation took up to 10 days, according to WPP chief executive Martin Sorrell.

Read more about phishing

  • Phishing is no longer just a consumer problem, say experts. The scams are hurting companies’ reputations and bottom lines.
  • Email is the number one entry point for data breaches, which includes targeted email attacks such as business email compromise and spear phishing.
  • Targeted malware attacks and social engineering schemes such as phishing and whaling pose a growing security threat because cyber criminals are getting help from unwitting users.

“We had heavy internal communications that we handled reasonably well and we learned that it was important to not try and do everything,” he told The Drum, revealing that some staff “really began to suffer” after a week of working round the clock.

The attack hit WPP around midday in the UK, which meant the company was able to respond quickly to contain its effects.

Initially, the company tried to attend to everything, but Sorrell said it became clear that that was not possible, leading the company to prioritise its remediation efforts.

In part, he attributed WPP’s success in containing and dealing with the attack to ensuring regular communication with key people from all parts of the business, from operational units to legal, PR and even clients.

The company also sought help in dealing with attack from partner technology firms, including IBM.

“Over-communicating is better than under-communication because if there is a vacuum, people see ghosts that don’t really exist,” said Sorrell. “To some extent, we’ve still got issues. Also, it acts as a catalyst. If you were doing things and doing them too slowly, you catalyse.”

The damage was also limited by the fact that WPP’s systems are not fully integrated, which meant NotPetya was not able to spread across the company’s whole IT infrastructure.

Read more about software exploits

In the wake of the attack, about 50 WPP executives met to discuss it and identify lessons learned that could be applied to avert similar attacks in future.

In recognition of the continued cyber threat, WPP plans to invest up to £15m a year on cyber security controls, but Sorrell said phishing attacks represent a huge challenge.

“It’s amazing what people do when they look at something that obviously looks as though it is a scam and it’s accepted still – it’s incredible,” he said.

Phishing attacks are highly targeted, sophisticated, hard to detect and difficult for users to avoid, with 1.39 million new phishing sites created each month, according to a September 2017 report by researchers at security firm Webroot.

Data collected by Webroot shows that the latest phishing sites use realistic web pages that are almost impossible to find using web crawlers to trick victims into providing personal and business information.

Once this data is harvested, attackers can steal digital identities to access business IT systems to steal data and compromise business email accounts in order to carry out CEO fraud attacks.

The Webroot data also shows that phishing attacks have grown at an unprecedented rate this year, with it continuing to be one of the most common, widespread security threats faced by both businesses and consumers.

Read more on Hackers and cybercrime prevention

Data Center
Data Management