An emergency announcement sent over the office PA system at the Hamburg headquarters of skin care company Beiersdorf on Tuesday ordered all employees to shut down their computers right away, bringing work to a sudden halt.
The cosmetics manufacturer, a victim of the large cyber attack that has rippled across much of the world this week, has been in a state of turmoil ever since. On Thursday, the telephone system was shut down, and all company laptops worldwide had to be switched off as production at the firm was hampered. Nobody knows exactly how thoroughly the network was compromised. Department managers have had to decide whether employees should come to work at all.
Beiersdorf is not the only company to have been hit by what is turning out to be the world’s largest cyberhack. The French bank BNP Paribas, the Russian oil group Rosneft, the international airport of Ukraine as well as Ukrainian subsidiaries of Deutsche Post and Metro were also hit.
The motive for the attack is still a mystery, according to Arne Schönbohm, president of Germany’s federal agency for information security, but the possibilities include blackmail and sabotage.
The attack involved malicious software, called ransomware, that encrypts data, thereby blocking access to it. Owners of the data are instructed to pay a ransom in order to access their files again. This is the second large scale ransomware attack in recent weeks. About six weeks ago, a virus named “WannaCry” infected and paralyzed hundreds of thousands of computers.
Top-Jobs des Tages
Jetzt die besten Jobs finden und
per E-Mail benachrichtigt werden.
But in this most recent case, it is unclear whether the attack was really motivated by blackmail, because the hackers made it easy for security experts to prevent the payment of the ransom money, using only a single email address that could be quickly blocked.
By Tuesday afternoon, email provider Posteo in Berlin had two indications that one of their email addresses was being used by criminals for ransom claims. Posteo blocked the mailbox immediately. Still, by that time, there had been no reports yet about a widespread ransomware attack, a company spokeswoman told Handelsblatt.
Those reports came quickly enough. One by one, companies began reporting that they were infected with malicious software. Their screens displayed a short, red notice on a black background: “Ooops, Your important files are encrypted,” the message read along with instructions to pay a ransom of $300 (€262.50) per computer in Bitcoin.
According to IT security experts, this hack is based on the well-known ransomware “Petya,” which particularly affects networked computers. The offenders use a security flaw in the Windows operating system “Eternal Blue,” which the “WannaCry” hack had also exploited.
Since Tuesday, the suspicion has been that the attack originated from the Ukrainian software provider Medoc, which provides financial software for companies. The hackers apparently manipulated an update of Medoc software, making the firm an unwitting distributor of the malicious software.
Many experts are skeptical that the attackers were actually motivated by ransom payments. Other than the blocked Posteo email address, there were no alternative channels to receive money or to communicate with victims, a rarity when it comes to online extortion.
The true motive remains a mystery, according to Arne Schönbohm, president of Germany’s federal agency for information security, but blackmail and sabotage are distinct possibilities, he told Handelsblatt. It is unclear, he added, whether the perpetrator was an organized criminal organization or a state actor, though both explanations have their flaws. Of the affected companies, about 60 percent come from Ukraine and 30 percent from Russia, he said. “What state would have something to gain from the attack?”
The attack could also be the work of amateurs, but experts like Gavin O’Gorman, a researcher with the IT security provider Symantec, don’t believe this explanation either. It seems likely, he said, that the attackers wanted to sow chaos. Other experts believe this attack could have been a test for an upcoming, larger attack.
“In the last few months, many cyber attacks have taken place which do not make much sense on their own,” said Marco Gercke, director of the Cybercrime Research Institute in Cologne. “It could be that they are either very amateurish or part of a larger picture that we have not yet seen.”
If the attackers were primarily interested in generating chaos, then they succeeded. Two days after the attack, Danish container giant A. P. Møller Mærsk is still suffering major disturbances in its global container trade. In many of the 59 ports operated by the Danish firm, containers could not be loaded or unloaded. Affected ports include the New York port and Europe’s largest port in Rotterdam, but also the Mærsk terminal at the Indian port of Jawaharlal Nehru. A Møller Mærsk spokeswoman could not say how long the problems will last.
“We are working with IT experts in each country and hope that we can find a solution quickly,” she said.
The Dutch express delivery company TNT’s global business has also been suffering a “significant” disturbance thanks to the cyber attack, parent company Fedex explained. The US corporation, which acquired TNT Express for €4.4 billion only a year ago, warned investors of possible economic damage as a result of the attack.
For his part, Beiersdorf CEO Stefan Heidenreich tried to be optimistic on Thursday morning. “We have already survived different phases,” he said. The damage, he added, is “still manageable.” However, he could not say when Beiersdorf will be up and running normally again.
Derk Fischer, an expert at consulting firm PwC, said it was essential for firms to assess their vulnerability before large scale cyber attacks occur. It is “all the more important to test your own system for weaknesses before others do,” he said.
Ina Karabasz is an editor at Handelsblatt’s companies and markets team, covering telecommunications, IT and security issues. Christoph Kapalschinski covers the retail sector for Handelsblatt. Helmut Steuer is Handelsblatt’s correspondent for northern Europe. Christoph Schlautmann covers logistics for Handelsblatt. To contact the authors: [email protected], [email protected] [email protected], [email protected]