It started without warning when the malware hit Prix Healthcare Inc.’s servers. The new strain infected the company’s systems like silent wildfire, burning through the cyber kill chain unabated. The hacker advanced easily from each step on the kill chain; he harvested enough email addresses during his reconnaissance to know all about Mark’s secret affair with a staff member, that he enjoyed a high-speed virtual private network connection to the office’s network, and that Mark maintains several personal email addresses. He weaponized his exploit of choice into an unassuming PDF (portable document format) file, and delivered the payload as an email masquerading as a legitimate corporate travel agent. A typical customized whale-phishing email attack will do the trick, the hacker’s eyes gleamed, easy peasy. The code executed after exploiting a known vulnerability, and then the malware installed on the server—the asset, lighting up his target. He knew no one in Prix had the foresight, skill, and time to hunt for abnormal outbound network activities or packets that the now-infected system will be sending to call home—and engage the next step in the chain, command and control.
During that short session, a connection was established with the infected machine and the hacker swiftly keyed in and executed a multitude of other commands through his remote command and control channel. Using the compromised machine, the attacker initiated a wave of spam emails to Prix’s clients and hijacked ongoing email conversations and existing threads of insurance agents and high-value targets—Prix’s top brass. Mimicking their tone, ensuring the people in the conversation believe they are interacting with the Prix employee they trust, the hacker sent documents where he embedded his signature trojan payload. The malware was designed to let the attacker gain access to the victim’s medical records and clear out or change details. The versatile attacker went on installing a phishing website and launched attacks against other servers. His intentions were to widely distribute the malware—his pride and joy—in the shortest time possible; and, eventually, undermine the public’s trust in the health care system to cause panic—his original goal.
The staggering amount of phishing emails sent to Prix’s health insurance clients across the nation clogged their bandwidth and rendered communications down to a trickle. Key services started to shut down. By the time Mark ordered to take their IT system offline to contain the damage, the malware had already spread to private individuals, health clinics, hospitals, government health centers, and numerous businesses covered by their SME healthcare products.
“Are you still there? I’m listening,” Mark said as he watched his wristwatch strike midnight. “Activate your CERT if you have one, but I know you don’t, so who am I kidding—call this number and drop my name, they have a team of experienced cybersecurity incident advisors and a battery of other experts who can help you respond, issue a public statement, and hopefully recover… unfortunately, it doesn’t end there, Mark.”
He resigned himself to the gravity of the facts, laid bare by his friend, that all plans for his company would have to wait, its future now was thrown into question. To resolve the matter, as told bluntly by his friend, Prix Healthcare will have to deal with compliance fines and court fees and undergo a computer forensic and investigation process.
Mark has to brace for any blowback from the public and endure reputational losses that will likely last a long time; not to mention the possible imposition of regulatory commitments, spending revenues on identity theft prevention services for his clients, taking on an incident response retainer that would be tasked to conduct regular compromise assessments, and availing of a cyber-liability insurance product to cover for potential data breaches. With the likely turnover of clients, he will be spending more on client acquisition activities in the short term to keep his company running. For Prix, the future looked bleak. Mark did not foresee that a cyber-incident can cause a disruption of this scale.
This is a work of fiction. Names, characters, businesses, places, events, locales, and incidents are either the product of the author’s imagination or used in a fictitious manner. Any resemblance to actual persons, living or dead, or actual events is purely coincidental.
The author wants to show a precautionary tale of the near future, where cyberattacks continue to dominate the news and hackers win the cyberbattle, yet again, in a highly interconnected digital market. While the government finds diplomatic ways to impose its regulatory might, small businesses struggle to cope in a regulated marketplace with steep protection rules, where the overall cost of compliance schemes represent an additional barrier to market entry. And the need to focus on the human element and how it plays a crucial role in security. The biases and the impact of decisions that shape the course of our businesses, its competitiveness and impact on society.
Paul Gonzales is a Director of the Advisory Services Division of P&A Grant Thornton. P&A Grant Thornton is one of the leading Audit, Tax, Advisory, and Outsourcing firms in the Philippines, with 21 Partners and over 900 staff members.
As published in The Manila Times, dated on 13 February 2019