After a hack, loose lips won’t sink chips

When a company falls prey to a cyber attack, the standard response is often to clam up, say as little as possible – at least publicly – and work behind the scenes to clean up the mess.

This is the playbook Ion Group, a supplier of trading and risk management software to financial firms, followed when its servers became infected with ransomware at the end of January. After the affected services were taken offline, it took hours for some clients to confirm the cause of the outage. The lack of information frustrated customers and regulators alike and stoked fears of systemic risk.

Ion’s only public statement on the matter was a three-sentence notice posted on its website later that day confirming some of its servers had been disconnected following a cyber attack. “Further updates will be posted when available,” the note added. They weren’t.

The vacuum of information – and accountability – that typically follows a hack only feeds the problem

When the financial press began reporting on the outage on February 1, it was the US Department of the Treasury’s Office of Cybersecurity and Critical Infrastructure Protection that contacted journalists to assure them the situation was under control.

Ion’s communication remained limited in the days that followed. The firm held daily video calls with clients but as of last week had not revealed how the hackers infiltrated its systems, what vulnerability they exploited, or whether it paid a ransom to prevent the release of stolen data. A forensic report by CrowdStrike, the cyber security firm Ion hired to investigate the attack, is expected to be kept under wraps.

This is par for the course. Companies that fall victim to hackers often try to hide the details, either out of embarrassment or to shield themselves from legal exposure. Lawyers almost always advise clients not to release information about a cyber attack beyond what is strictly required by law. Some cyber professionals also favour secrecy, preaching the doctrine of security through obscurity, best encapsulated by the World War II military slogan, ‘loose lips sink ships’. The argument is that describing security failures makes companies more of a target for would-be attackers.

This feels wrong-headed. The vacuum of information – and accountability – that typically follows a hack only feeds the problem, making it harder for future targets to understand their vulnerabilities and craft better defences, while ensuring each fresh attack triggers the sort of chaos and confusion that benefits the hackers.

For all the mystery and intrigue surrounding the Ion incident, the firm’s clients and other sources who were involved in the episode believe this was a garden-variety ransomware attack. The hackers likely obtained access to Ion’s systems through a phishing attack, which is how the vast majority of breaches begin. Once in the network, they exploited a vulnerability in Ion’s virtualisation servers – a security flaw in VMware’s ESXi software, according to one of Ion’s clients, who claims to have the information from a contact within the vendor.

This was a known vulnerability and VMware had already issued a patch for it. Even so, cyber security authorities in France and Italy reported thousands of ransomware attacks on ESXi servers that week. Ion has not confirmed if it was among those targeted in this wave of attacks.

After locking up Ion’s systems, the hackers issued a ransom demand, which they claim was paid. Ion has not commented on the ransom. Many of the sources Risk.net spoke with suspect a payment was made at arm’s length, via a third party. The rumour among Ion’s employees is that the figure was in the region of $5 million.

Again, this is not out of the ordinary. When Colonial Pipeline, which operates the largest refined oil pipeline in the US, suffered a ransomware attack in 2021, it paid $4.4 million for a decryption key to unlock its systems. Cybersecurity experts say hackers usually settle for a fraction – 20-40% is typical – of their initial demands.

Disclosing this sort of information after a cyber attack should not be taboo. An executive at one fintech thinks full disclosure could even be an opportunity for firms such as Ion to change the narrative: “They have got caught with their pants down. It’s clear what most likely happened and they need to turn this into an education moment. This is a way they can restore reputation, stop the rot, and inform the community of the realities of ransomware, the costs and the importance of security standards and documentation.”