After a hack, loose lips won’t sink chips
Ion Group is the latest ransomware victim to stay mum about how it was compromised. No-one benefits from this code of silence
When a company falls prey to a cyber attack, the standard response is often to clam up, say as little as possible – at least publicly – and work behind the scenes to clean up the mess.
This is the playbook Ion Group, a supplier of trading and risk management software to financial firms, followed when its servers became infected with ransomware at the end of January. After the affected services were taken offline, it took hours for some clients to confirm the cause of the outage. The lack of information frustrated customers and regulators alike and stoked fears of systemic risk.
Ion’s only public statement on the matter was a three-sentence notice posted on its website later that day confirming some of its servers had been disconnected following a cyber attack. “Further updates will be posted when available,” the note added. They weren’t.
The vacuum of information – and accountability – that typically follows a hack only feeds the problem
When the financial press began reporting on the outage on February 1, it was the US Department of the Treasury’s Office of Cybersecurity and Critical Infrastructure Protection that contacted journalists to assure them the situation was under control.
Ion’s communication remained limited in the days that followed. The firm held daily video calls with clients but as of last week had not revealed how the hackers infiltrated its systems, what vulnerability they exploited, or whether it paid a ransom to prevent the release of stolen data. A forensic report by CrowdStrike, the cyber security firm Ion hired to investigate the attack, is expected to be kept under wraps.
This is par for the course. Companies that fall victim to hackers often try to hide the details, either out of embarrassment or to shield themselves from legal exposure. Lawyers almost always advise clients not to release information about a cyber attack beyond what is strictly required by law. Some cyber professionals also favour secrecy, preaching the doctrine of security through obscurity, best encapsulated by the World War II military slogan, ‘loose lips sink ships’. The argument is that describing security failures makes companies more of a target for would-be attackers.
This feels wrong-headed. The vacuum of information – and accountability – that typically follows a hack only feeds the problem, making it harder for future targets to understand their vulnerabilities and craft better defences, while ensuring each fresh attack triggers the sort of chaos and confusion that benefits the hackers.
For all the mystery and intrigue surrounding the Ion incident, the firm’s clients and other sources who were involved in the episode believe this was a garden-variety ransomware attack. The hackers likely obtained access to Ion’s systems through a phishing attack, which is how the vast majority of breaches begin. Once in the network, they exploited a vulnerability in Ion’s virtualisation servers – a security flaw in VMware’s ESXi software, according to one of Ion’s clients, who claims to have the information from a contact within the vendor.
This was a known vulnerability and VMware had already issued a patch for it. Even so, cyber security authorities in France and Italy reported thousands of ransomware attacks on ESXi servers that week. Ion has not confirmed if it was among those targeted in this wave of attacks.
After locking up Ion’s systems, the hackers issued a ransom demand, which they claim was paid. Ion has not commented on the ransom. Many of the sources Risk.net spoke with suspect a payment was made at arm’s length, via a third party. The rumour among Ion’s employees is that the figure was in the region of $5 million.
Again, this is not out of the ordinary. When Colonial Pipeline, which operates the largest refined oil pipeline in the US, suffered a ransomware attack in 2021, it paid $4.4 million for a decryption key to unlock its systems. Cybersecurity experts say hackers usually settle for a fraction – 20-40% is typical – of their initial demands.
Disclosing this sort of information after a cyber attack should not be taboo. An executive at one fintech thinks full disclosure could even be an opportunity for firms such as Ion to change the narrative: “They have got caught with their pants down. It’s clear what most likely happened and they need to turn this into an education moment. This is a way they can restore reputation, stop the rot, and inform the community of the realities of ransomware, the costs and the importance of security standards and documentation.”
Only users who have a paid subscription or are part of a corporate subscription are able to print or copy content.
To access these options, along with all other subscription benefits, please contact info@risk.net or view our subscription options here: http://subscriptions.risk.net/subscribe
You are currently unable to print this content. Please contact info@risk.net to find out more.
You are currently unable to copy this content. Please contact info@risk.net to find out more.
Copyright Infopro Digital Limited. All rights reserved.
As outlined in our terms and conditions, https://www.infopro-digital.com/terms-and-conditions/subscriptions/ (point 2.4), printing is limited to a single copy.
If you would like to purchase additional rights please email info@risk.net
Copyright Infopro Digital Limited. All rights reserved.
You may share this content using our article tools. As outlined in our terms and conditions, https://www.infopro-digital.com/terms-and-conditions/subscriptions/ (clause 2.4), an Authorised User may only make one copy of the materials for their own personal use. You must also comply with the restrictions in clause 2.5.
If you would like to purchase additional rights please email info@risk.net
More on Our take
Quants mine gold for new market-making model
Novel approach to modelling cointegrated assets could be applied to FX and potentially even corporate bond pricing
Thin-skinned: are CCPs skimping on capital cover?
Growth of default funds calls into question clearers’ skin in the game
Quants dive into FX fixing windows debate
Longer fixing windows may benefit clients, but predicting how dealers will respond is tough
Talking Heads 2024: All eyes on US equities
How the tech-driven S&P 500 surge has impacted thinking at five market participants
Beware the macro elephant that could stomp on stocks
Macro risks have the potential to shake equities more than investors might be anticipating
Podcast: Piterbarg and Nowaczyk on running better backtests
Quants discuss new way to extract independent samples from correlated datasets
Should trend followers lower their horizons?
August’s volatility blip benefited hedge funds that use short-term trend signals
Low FX vol regime fuels exotics expansion
Interest is growing in the products as a way to squeeze juice out of a flat market