In November 2023, aerospace heavyweight Boeing volunteered to publicly share the details of how it was hit by ransomware – including the “indicators of compromise” (IOCs) that would allow other potential victims to threat-hunt for similar hallmarks of the attackers, and work to shore up the security of their IT estates. 

The same threat group, Lockbit 3.0, had also brought the UK’s Royal Mail to a virtual standstill (“machines wake up and start spitting out a ransomware note on the local printers, and one of the members of staff photographs it and puts it on Twitter” was how that unfolded, as its then-CISO recalled ruefully this month) and also dramatically hit the US branch of the world's largest bank, China’s ICBC.

Boeing had been hit with a record $200 million ransom demand after its global parts and distribution business was disrupted by the attack. (It’s well established now that depending on the extent of damage, ransomware attacks can get immensely costly, e.g. the $1.6 billion impact on Change Healthcare, the $60 million impact on Expeditors, or the £4.5 million impact on Southern Water.)

But with support from agencies like the US’s CISA, Boeing opted to try and help a community of IT and cybersecurity professionals avoid the same pain, by sharing details as widely as possible. 

(Few organisations can match the openness of the Danish hotel software firm Techotel, which in 2021 chaotically live-blogged its response to a ransomware attack, detailing, among other headaches, its challenges persuading its AML-concerned bank to give it money to buy Bitcoin to pay the “bandits” a ransom…)

A common thread?

The Boeing attackers had exploited a critical vulnerability in Citrix network gateways – a bug dubbed “Citrix Bleed” that triggered “13 separate nationally significant incidents” in 2023 requiring the intervention of the UK’s National Cyber Security Centre (NCSC). 

“Boeing observed LockBit 3.0 affiliates exploiting CVE-2023-4966, to obtain initial access,” a security advisory from a series of cybersecurity and law enforcement agencies said, with then-CISA Director Jen Easterly adding that Boeing had provided “key detail” for the report in a “terrific example of operational collaboration.”

Strikingly, the November 22, 2023 advisory, (replete with incident input from the aerospace firm) came just 21 days after Boeing first publicly acknowledged the security incident. 

It could, as security researcher Kevin Beaumont commented at the time, have been “a seminal moment in the fight against ransomware. Don’t cover it up; talk about it and fight back together, stronger,” as he put it at the time, calling for a “culture reboot.”

Two years later… 

But as a trio of high-profile British retailers fight disruption widely reported to have been caused by ransomware two years after these incidents, there appears to be little sign of cultural change – certainly none of the openness that Boeing demonstrated. 

Marks & Spencers, Harrods, and the Co-op have all seen significant operational disruption due to “cyber incidents”.

But M&S’s public update on the incident is 117 words of vacuous verbiage; mostly apologies to customers. The most technical it gets? “Our experienced team - supported by leading cyber experts - is working extremely hard to restart online and app shopping” it says, after having first reported issues over the Easter weekend. 

Incident response (IR) professionals will, no doubt, be deeply sympathetic. The companies, they will say, are mid-response to an unfolding incident. The fog of war will prevail, the initial threat vector may still even be unknown; lawyers and communications professionals will be massaging all communications; certain helpful information may have been communicated with cybersecurity peers via closed channels and forums (by nature, challengingly exclusive.)

Indeed, the NCSC said in a May 4 advisory on the retail attacks that “we are… sharing what we know with the companies involved and the wider sector (through our sector-focussed Trust Groups run by the NCSC), and encouraging companies to share their experiences and mitigations with each other.”

“Sunlight is the best of disinfectants”

Yet it is notable how ransomware, or cybersecurity incidents in general, still appear to most companies to be treated almost as if they had contracted a sexually transmitted infection (STI). The word “virus” may be bandied about; they seem to feel dirty; the view appears to be that only the doctor should know about it; their partner might sue them or at least reject them. 

Publicly educating others? Destigmatising cyber/sexual hygiene?  

That’s not on the agenda. And that’s damaging. 

Here’s the National Library of Medicine’s take on sunlight being the best disinfectant: “STIs have been shrouded in shame, embarrassment, and discrimination, creating stigma with serious consequences at both the societal and individual levels… societal stigma shapes individuals’ willingness and knowledge about whether, how, and where to seek information about and screening for STIs. This may lead to failure to seek recommended screening or vaccination and delays in diagnosis and treatment, resulting in negative health outcomes and the risk of ongoing STI transmission.”

The metaphor doesn’t need flogging any harder.

Keeping schtum

Yet as Marks & Spencers, Harrods, and the Co-Op all grapple with their respective incidents, a new public post by the UK’s National Cyber Security Centre (NCSC) on the attacks is broadly helpful and certainly deserves close reading by information security professionals, but it’s also bereft of IOCs or public detail for others.

The agency, of course, can only do as much as those it is seeking to help will feel confident about sharing. 

It does seem clear that social engineering was central to the attacks.

And the NCSC’s National Resilience Director, Jonathon Ellison, and Chief Technology Officer, Ollie Whitehouse have six core bits of guidance to help reduce risk of falling victim to “rampant” attacks.

As they put it in their joint May 4 blog:

Ensure 2-step verification (multi-factor authentication) is deployed comprehensively  
Enhance monitoring against unauthorised account misuse; for example, looking for ‘risky logins’ within Microsoft Entra ID Protection, where sign-in attempts have been flagged as potentially compromised due to suspicious activity or unusual behaviour, especially where the detection type is 'Microsoft Entra Threat intelligence' 
Pay specific attention to Domain Admin, Enterprise Admin, Cloud Admin accounts, and check if access is legitimate 
Review helpdesk password reset processes, including how the helpdesk authenticates staff members credentials before resetting passwords, especially those with escalated privileges 
Ensure your security operation centres can identify logins from atypical sources such as VPNs services in residential ranges through source enrichment and similar
Ensure that you have the ability to consume techniques, tactics and procedures sourced from threat intelligence rapidly whilst being able to respond accordingly.

No more taboos?

Clearly the organisations affected have their hands full and no doubt everyone in the community wishes them luck with their remediation.

But we clearly remain a long way from a world in which cybersecurity is no longer a dark art, “infections” are no longer taboo, and swiftly sharing learnings with a broader community is acceptable.

One of the key lessons from the healthcare sector is that efforts to reduce infections need to tackle a “shame” issue and that conversations need to be as broad and inclusive as possible. 

As one US committee put it: “Efforts to eliminate STIs need to be expanded from interventions in the private and public health domains to encompass a productive policy-making sexual health discourse at the local, state, and federal levels.”

Is there a lesson to be learned there for business leaders? 

We’d suspect so. And whilst it may start with "use protection", it likely needs to be a much bigger one than that.

What needs to change for organisations to feel comfortably *swiftly* sharing IOCs or other details from post-mortems with a broader community to minimise risk to others? Is legal the biggest blocker? Share your views. 

The link has been copied!