Can Cyber-attacks cripple the operation of

Companies?

Shreyasi Hatwalne
ROLL NO: 1813080 | DEPARTMENT: EXTC , CYBER SECURITY DIVISION: 2 |
DATE:15/10/2020 |CYBER SECURITY (OET) IA TASK 1 (2020-21 ODD TERM) |
Shreyasi Hatwalne
Roll no: 1813080
Department: EXTC
Cybersecurity division: 2
Date:15/10/2020
Cybersecurity (OET) IA Task 1 (2020-21 Odd Term)

Assigned Topic: “Can Cyber-attacks cripple the operation of Companies?”

INDEX
1. Introduction
2. What is a Cyber Attack?
3. What does crippling the operations of a company mean?
4. Case Studies
5. Conclusion
6. References

1
Introduction

Can Cyber-attacks cripple the operations of companies? The question seems obvious in
today’s connected world. Companies are more connected than ever. More tasks are
conducted by machines than humans. Simple tasks like proofreading a document,
sending an email, checking inventory, tracking employee performance, conducting
market research including numerous other essential business functions are now
automated or are conducted by machines. Then isn’t a cyber-attack the most obvious
and the biggest risk? In hindsight, it does look obvious, but it isn’t the case. Multinational
companies have lost money because of it. Later on, in this project, we will look at
examples.

Last year, Cybersecurity Ventures predicted that cybercrime will cost the world $6 trillion
annually by 2021, up from $3 trillion in 2015. This represents the greatest transfer of
economic wealth in history, risks the incentives for innovation and investment, and will
be more profitable than the global trade of all major illegal drugs combined.
$6 trillion! That’s more than the 3rd largest economy in the world, Japan ($5.15 trillion).
The basic outline of this literature review will be; we will first understand what do we
exactly mean by a cyber-attack, then we will define what crippling the operations of a

What is a What does crippling

Case
cyber operations of a company Conclusion
Studies
attack? mean?

2
company mean and finally look at real-life case studies and conclude this literature
review.

What is a Cyber Attack?

The “National Counterintelligence and Security Centre” of the United States of America,
defines a cyber-attack as “An attack, via cyberspace, targeting an enterprise’s use of
cyberspace for the purpose of disrupting, disabling, destroying, or maliciously controlling
a computing environment/infrastructure; or destroying the integrity of the data or stealing
controlled information.”
In crude terms, an attempt to harm your computer for predominantly two reasons. First,
they want to harm you on purpose. Second, they want to extort money.
How would the attackers do that? There are various ways, they are as follows:

Malware

SQL
Phishing
Injection
Types
of cyber
attacks
3

Denial-of- Cross-Site
 (DoS) (XSS)

1. Malware
If you've ever seen an antivirus alert pop up on your screen, or if you've mistakenly
clicked a malicious email attachment, then you've had a close call with malware.
Attackers love to use malware to gain a foothold in users' computers—and,
consequently, the offices they work in—because it can be so effective.
“Malware” refers to various forms of harmful software, such as viruses and ransomware.
Once malware is in your computer, it can wreak all sorts of havoc, from taking control of
your machine to monitoring your actions and keystrokes to silently sending all sorts of
confidential data from your computer or network to the attacker's home base.
Attackers will use a variety of methods to get malware into your computer, but at some
stage, it often requires the user to take an action to install the malware. This can include
clicking a link to download a file, or opening an attachment that may look harmless (like
a Word document or PDF attachment), but actually has a malware installer hidden
within.

My Experience
One example we all have experienced would be the Fake UC Browser. In an attempt to
download copyrighted songs for free, I searched download wyx song free. I clicked the
very first link. I followed all the instructions. The outcome was a failure. It redirected me
to a website with popups claiming I have malware and I need to download UC Browser
to stay safe. I was surprised back then to see a popup from a reputed browser.

4
Subsequently, the app was removed from the Google app store for trying to steal users’
data. It has now returned albeit with a different configuration. Edward Snowden, the
acclaimed computer security consultant, showed that the browser was selling its user’s
data.

2. Phishing
Of course, chances are you wouldn't just open a random attachment or click on a link in
any email that comes your way—there has to be a compelling reason for you to take
action. Attackers know this, too. When an attacker wants you to install malware or
divulge sensitive information, they often turn to phishing tactics or pretending to be
someone or something else to get you to take an action you normally wouldn’t. Since
they rely on human curiosity and impulses, phishing attacks can be difficult to stop.

In a phishing attack, an attacker may send you an email that appears to be from
someone you trust, like your professor or a distant relative. The email will seem
legitimate, and it will have some urgency to it (e.g. fraudulent activity has been detected
on your account). In the email, there will be an attachment to open or a link to click.
Upon opening the malicious attachment, you’ll thereby install the malware on your
computer. If you click the link, it may send you to a legitimate-looking website that asks
for you to log in to access an important file—except the website is a trap used to capture
your credentials when you try to log in.
Gmail, the most widely used email platform has an inbuilt spam detector that filters off
phishing emails.

3. SQL Injection Attack

SQL (pronounced “sequel”) stands for structured query language; it’s a programming
language used to communicate with databases. Many of the servers that store critical
data for websites and services use SQL to manage the data in their databases. A SQL
injection attack specifically targets this kind of server, using malicious code to get the
server to divulge information it normally wouldn’t. This is especially problematic if the
server stores private customer information from the website, such as credit card
numbers, usernames, and passwords (credentials), or other personally identifiable
information, which are tempting and lucrative targets for an attacker.

5
An SQL injection attack works by exploiting any one of the known SQL vulnerabilities
that allow the SQL server to run malicious code. For example, if a SQL server is
vulnerable to an injection attack, it may be possible for an attacker to go to a website's
search box and type in code that would force the site's SQL server to dump all of its
stored usernames and passwords for the site.

SQL Injection attacks mostly affect companies and not individuals. In the later part of the
project, we will see how companies had to face the wrath of hackers.

4. Cross-Site Scripting (XSS)

To understand the Cross-site Scripting vulnerability you have to first understand the
basic concept of the Same Origin Policy (SOP), which forbids a web application to
retrieve content from pages with another origin. By forbidding access to cross-origin
content random websites can not read or modify data from your Facebook page or
PayPal account while logged in to them.

SOP is one of the most important security principles in every web browser.
For example, the page https://example.com/index.html can access content from
https://example.com/about.html while https://attacker.com/index.html cannot access
content from https://example.com/about.html.

Cross-site Scripting, also known as XSS, is a way of bypassing the SOP concept in a
vulnerable web application. Whenever HTML code is generated dynamically, and the
user input is not sanitized and is reflected on the page an attacker could insert his HTML
code. The web browser will still show the user's code since it pertains to the website
where it is injected.

6
In such a case an attacker can easily insert JavaScript code which would run under the
site's context. By doing so the attacker can access other pages on the same domain and
can read data like CSRF-Tokens or the set cookies.
If the cookies, which typically contain session identifier information, can be read by the
client-side JavaScript code, the attacker can use them on his browser and log in to the
web application as the victim. If that does not work the attacker can still read private
information from the pages, such as read CSRF tokens and make requests on behalf of
the user.
Cross-site scripting attacks can significantly damage a website’s reputation by placing
the users' information at risk without any indication that anything malicious even
occurred. Any sensitive information a user sends to the site—such as their credentials,
credit card information, or other private data—can be hijacked via cross-site scripting
without the website owners realizing there was even a problem in the first place.

5. Denial-of-Service (DoS)

Imagine you're sitting in traffic on a one-lane road, with cars backed up as far as the eye
can see. Normally this road never sees more than a car or two, but Navratri celebrations
and a crowded wedding have ended around the same time, and this road is the only way
for visitors to leave that area. The road can't handle the massive amount of traffic, and
as a result, it gets so backed up that pretty much no one can leave.
That's essentially what happens to a website during a denial-of-service (DoS) attack. If
you flood a website with more traffic than it was built to handle, you'll overload the
website's server and it'll be nigh-impossible for the website to serve up its content to
visitors who are trying to access it.
This can happen for innocuous reasons, of course, say if a massive news story breaks
and a newspaper's website gets overloaded with traffic from people trying to find out
more. But often, this kind of traffic overload is malicious, as an attacker floods a website
with an overwhelming amount of traffic to essentially shut it down for all users.
In some instances, these DoS attacks are performed by many computers at the same
time. This scenario of attack is known as a Distributed Denial-of-Service Attack (DDoS).
This type of attack can be even more difficult to overcome due to the attacker appearing

7
from many different IP addresses around the world simultaneously, making determining
the source of the attack even more difficult for network administrators.

What does crippling the operations of a company mean?

The word crippling means “causing serious injuries or harm” as per the Cambridge
Dictionary. In this literature review’s context, if any company has to shut it’s shop for a
considerable amount of time due to a cyber-attack. Examples given below will give a
clear idea.

Example 1
A supermarket chain is unable to function for 3 days as a cyber attack corrupted all
software in all devices of the store. Even cameras were targeted to show the same video
on the loop. The inventory management software does the opposite of the command
entered. Name and contact details of regular customers are leaked online. This leads to
a hefty monetary loss. For 2 days it could not function. Some Customers are lost forever
due to the reputational damage. The chain has to pay compensation to the customers.

Example 2
A mining company uses a proprietary software to automate the extraction process. A
malware inflicted in the system due to poor internal controls changes the key inputs
8
leading to a serious mishap. 100s die and the company loses its reputation. The stock
price crashes followed by a class-action lawsuit against the company for poor labor
management.

Example 3
A reputed asset management company uses the Bloomberg Terminal for it’s research
and operations. The CEO ignores the repeated demands for the renewal of the software
and instead suggests a pirated copy. The pirated copy has malware in it. It tracks all it’s
actions. The edge the company had which it used to generate superior returns is now
known to a third party. The company’s returns diminish and it loses it’s AUM leading to
reduction in profits.

Case Studies

WannaCry ransomware attack

The WannaCry ransomware attack was a May 2017 worldwide cyberattack by the
WannaCry ransomware cryptoworm, which targeted computers running the Microsoft
Windows operating system by encrypting data and demanding ransom payments in the
Bitcoin cryptocurrency. It propagated through EternalBlue, an exploit discovered by the
United States National Security Agency (NSA) for older Windows systems. EternalBlue
was stolen and leaked by a group called The Shadow Brokers at least a year before the
attack. While Microsoft had released patches previously to close the exploit, much of
WannaCry's spread was from organizations that had not applied these or were using
older Windows systems that were past their end-of-life. These patches are imperative to
an organization's cyber-security but many were not applied because of needing 24/7
operation, risking having applications that used to work break, inconvenience, or other
reasons.

9
 The attack was halted within a few days of its discovery due to emergency patches
released by Microsoft and the discovery of a kill switch that prevented infected
computers from spreading WannaCry further. The attack was estimated to have affected
more than 200,000 computers across 150 countries, with total damages ranging from
hundreds of millions to billions of dollars. Security experts believed from preliminary
evaluation of the worm that the attack originated from North Korea or agencies working
for the country.

A new variant of WannaCry forced Taiwan Semiconductor Manufacturing Company

(TSMC) to temporarily shut down several of its chip-fabrication factories in August 2018.
The virus spread to 10,000 machines in TSMC's most advanced facilities. The disruption
appears to have had a dramatic effect on the company’s financial performance, with a
two-percent drop in its third-quarter revenue — to the tune of about $170 million.

List of Organizations affected by the Malware:

Credits: Wikipedia Link

Sony Pictures Hack

10
On November 24, 2014, a hacker group which identified itself by the name "Guardians of
Peace" leaked a release of confidential data from the film studio Sony Pictures. The data
included personal information about Sony Pictures employees and their families, e-mails
between employees, information about executive salaries at the company, copies of
then-unreleased Sony films, plans for future Sony films, scripts for certain films, and
other information. The perpetrators then employed a variant of the Shamoon wiper
malware to erase Sony's computer infrastructure.
During the hack, the group demanded that Sony withdraw its then-upcoming film The
Interview, a comedy about a plot to assassinate North Korean leader Kim Jong-un, and
threatened terrorist attacks at cinemas screening the film. After many major U.S. cinema
chains opted not to screen The Interview in response to these threats, Sony elected to
cancel the film's formal premiere and mainstream release, opting to skip directly to a
downloadable digital release followed by a limited theatrical release the next day.
United States intelligence officials, after evaluating the software, techniques, and
network sources used in the hack, alleged that the attack was sponsored by the
government of North Korea, which has since denied all responsibility.

2013 South Korea cyberattack

On 20 March 2013, three South Korean television stations and a bank suffered from
frozen computer terminals in a suspected act of cyberwarfare. ATMs and mobile
payments were also affected. The South Korean communications watchdog, the Korea
Communications Commission, raised their alert level on cyber-attacks to three on a
scale of five. North Korea has been blamed for similar attacks in 2009 and 2011 and was
suspected of launching this attack as well. This attack also came at a period of elevated
tensions between the two Koreas, following Pyongyang’s nuclear test on 12 February.
South Korean officials linked the incident to a Chinese IP address, which increased
suspicion of North Korea as "intelligence experts believe that North Korea routinely uses
Chinese computer addresses to hide its cyber-attacks."

The attacks on all six organizations were derived from one single entity. The networks
were attacked by malicious codes, rather than distributed denial-of-service (DDoS)
attacks as suspected at the beginning. It appeared to have used only hard drive

11
overwrites.[4] This cyberattack “damaged 32,000 computers and servers of media and
financial companies.” The Financial Services Commission of South Korea said that
Shinhan Bank reported that its Internet banking servers had been temporarily blocked
and that Jeju Bank [ko] and NongHyup reported that operations at some of their
branches had been paralyzed after computers were infected with viruses and their files
erased. Woori Bank reported a hacking attack but said it had suffered no damage.
Computer shutdowns also hit companies including the Korean Broadcasting System,
Munhwa Broadcasting Corporation, and YTN.[6]

This cyberattack “caused US$750 million in economic damage alone.

Shamoon
Shamoon is a modular computer virus that was discovered in 2012, targeting then-recent
32-bit NT kernel versions of Microsoft Windows. The virus was notable due to the
destructive nature of the attack and the cost of recovery. Shamoon can spread from an
infected machine to other computers on the network. Once a system is infected, the
virus continues to compile a list of files from specific locations on the system, upload
them to the attacker, and erase them. Finally, the virus overwrites the master boot record
of the infected computer, making it unusable.

The virus was used for cyber warfare against national oil companies including Saudi
Arabia's Saudi Aramco and Qatar's RasGas named "Cutting Sword of Justice" claimed
responsibility for an attack on 35,000 Saudi Aramco workstations, causing the company
to spend more than a week restoring their services. The group later indicated that the
Shamoon virus had been used in the attack. Computer systems at RasGas were also
knocked offline by an unidentified computer virus, with some security experts attributing
the damage to Shamoon. It was later described as the "biggest hack in history."

12
Conclusion

The case studies prove one thing. Cyber Crime is an organized business. Any Tom,
Dick, or Harry cannot cause damage at such a high scale. A study from MIT states that
cybercrime is one of the most organized illicit business today. Hackers follow a
systematic approach to find target companies and exploit weaknesses.

13
It is a well-funded “business”. The attackers have a monetary motivate in majority of the
cases. It’s either direct through ransom or indirect by causing losses to the victim. We
noticed how governments are using cyber warfare to further their political ambitions.

Coming to the main point of this literature review. Do attacks like these affect
companies? How long does it take to recover? Empirical evidence suggests that a
temporary effect is obvious. However, companies do recover from it. Saudi Aramco in
our case study lost 50,000 hard drives due to the ransomware attack. It produces 10% of
the global oil output. It needs hard disks. They hired private planes and flew to Southeast
Asia to buy hard drives directly from the manufacturers. They hired top security
consultants and revamped their Internal controls to combat the risks. They recovered!

Even in the case of Sony, they are still active today. The dark past stands far away from
the present. Sony Pictures is still one of the world’s largest production companies.

TSMC too is still a dominant player in the South Asian semi-conductor market.

14
One logical argument, that these were multinational companies with fat wallets hence it
was easier for them to recover. That is true. The economic cost is high. The operational
upgrade also required management efficiency.

Companies that are unable to bear the cost of the revamp will eventually go under. An
example would be Code Spaces, which was a source code hosting service offering a
suite of project management tools to its users. It had to shut down in the wake of a
devastating hack which wiped away a vast amount of data, backups, machine
configurations, and offsite backups. This happened when the attacker initiated a DDoS
attack accompanied by an intrusion into Code Spaces’ Amazon EC2 control panel. Even
after the attack, the company was unable to resolve the issue and refund the customers
who were left without the service they paid for. This led to huge damage to the
company’s credibility and financial position in the market, and eventually a complete
shutdown of its services.

Another set of data from Cyber Crime Magazine suggests that 60 percent of small
companies go out of business within six months of falling victim to a data breach or
cyber-attack.

My Personal Experience
A friend of mine is an aspiring Chartered Accountant. She is currently pursuing her
mandatory apprenticeship in a medium-sized firm. An unfortunate incident wiped off their
entire clientele. The firm was reluctant to use official windows. They used pirated
windows. Despite having an Anti-virus software, their data was breached and the clients’
details were leaked. A major client of theirs, a real estate company filed a suit against
the firm for reckless handling of sensitive data. Not only did they have to pay
compensation, the reputational damage literally knocked off years of hard work. From
having revenues of 9 crores per year to a mere 50 lacs!

All of this can be avoided by adopting some simple measures like:

1. Migrate to a Modern Operating System
2. Install a Security Suite
3. Protect Passwords
4. Update Software from Trusted Sources

15
MADE BY:
Shreyasi Hatwalne
Roll no: 1813080
Department: EXTC
Cybersecurity division: 2
Date:15/10/2020
Cybersecurity (OET) IA Task 1 (2020-21 ODD TERM)

References

 Cybercrime in the Corporate Sector by Savitha Kesav Jagadeesan of Kochhar & Co

Chennai, India. Published in 2012.Link

 Why big corporates need to fight off Why big corporates need to fight off cyber-attacks
by the Economic Times Link

16
 Equifax Data Breach summary by epic.org Link

 Why Cyber Crime is Targeted at Small Businesses by smallbiztrends.com Link

 Systematically Understanding the Cyber Attack Business: A Survey Keman Huang,

Michael Siegel, and Stuart Madnick Link

 Cyber-crime, securities markets and systemic risk Link

 The impact of cybercrime on businesses: A novel conceptual framework and its

application to Belgium Link

 The impact of cybersecurity on small business Link

 Cyber Security Basics Link

17