Most people are familiar with ransomware attacks, but the one we are looking at this week has a bit of a twist: What do you do when one of your suppliers or vendors gets hacked, but rather than extort the vendor, you are the one being required to pay the ransom?
The Target: Apple
According to a report from Bloomberg, REvil, a Russian-based cyber-terrorist group tried to take a bite out of Apple in the neighborhood of $50 million, threatening to release the schematics of a MacBook design if Apple doesn’t pay the ransom.
Originally, REvil hacked into Quanta, one of Apple’s key suppliers, who produces hardware for Apple for everything from phones to watches to computers. Quanta has acknowledged the breach, claiming there was “no material impact,” while Apple has refused to comment.
After Quanta refused to pay the ransom, REvil increased it to $100 million and went after Apple instead.
During an Apple launch event for a new Macbook product this week, hackers published the design schematics from the physical piece of hardware they allegedly stole from the Quanta hack.
On top of releasing these typically secretive design specs, they also claimed to have more proprietary Apple product designs and plans which they would release without a $50 million payment from Apple itself.
As an update to this story, it has been reported that the ransomware group has “deleted all mention of the extortion attempt from its dark web site.” Nevertheless, there are important lessons to be learned.
A Means to an End
There are a couple of lessons to be learned from this hack. While trying to extort Apple for the money without ever breaching their network is a novel twist, it’s not a new idea. Vendors to large companies have always provided a means to a greater end, and are more vulnerable than the big guys.
The 2013 Target data breach was caused by an attack on an HVAC vendor first, and the SolarWinds breach in late 2020 was designed to backdoor hack into the federal government.
However, this new tactic of extorting the larger client due to a hack at their vendor is something to think about.
Size Doesn’t Matter
First, no matter how small your company is, consider yourself a target. I’ve often received pushback from some prospects and clients along the lines of “we’re too small to really be a target, why would anyone come after us?”
The answer is: A hacker with an eye on the bigger prize. This attack just further proves that hackers really don’t discriminate in who they’ll attack.
Protect Your Company Proactively
Obviously, you have good cybersecurity protocols in place (right?), so let’s look at the other protection you need: your contract. The language of your contracts is your first line of defense— particularly for B2B companies. (I talk about contracts more in this article.)
From an insurance perspective, both the Apple and Quanta cyber insurance policies could potentially respond here.
Quanta’s policy could apply because they had a network intrusion. Apple’s policy could apply because their proprietary data was exposed. Somewhere, a couple of underwriters are hiding under their desks (or under their covers if they are working from home).
The contractual agreement between Apple and Quanta is likely to come into play in deciding who ultimately pays for any damages this event might cause. Issues like contractual indemnifications, confidentiality provisions, required security controls, and limitations of liability are potentially going to be impacted and may help determine how this issue gets resolved.
My biggest takeaway here is that hackers are resourceful and know where the deep pockets are— and this likely won’t be the last time we see a large company extorted because their vendor got breached. Don’t be that vendor.
IN THE NEWS