Enlarge image
Merck & Co
Photo: Brendan McDermid / REUTERS
When Microsoft announced a week ago that it had discovered a so-called wiper in numerous Ukrainian computer systems, it brought back bad memories.
In June 2017, this type of malware caused billions in damage worldwide by irretrievably overwriting files.
Technically, the wiper used at the time, called NotPetya, has nothing to do with the malicious code now found by Microsoft – if only because NotPetya was a worm that spread by itself, while the malware now discovered, called WhisperGate, was placed in a targeted manner and is not a worm.
But both disguised themselves as ransomware (encryption Trojans), i.e. as blackmail tools.
Then as now, Ukraine was the obvious target, and then as now, experts suspect Russian perpetrators behind the incidents.
NotPetya is said to have been used by the Sandworm group, assigned to the Russian military intelligence service GRU.
NotPetya was called the Wiper at the time because its code was based on a ransomware called Petya, but it was not intended to force victims to pay a ransom to regain access to their files.
Rather, NotPetya was designed for destruction.
NotPetya spread rapidly in the systems of everyone paying taxes or doing business in Ukraine via updates to the accounting software MEDoc.
And these were not only Ukrainian companies and banks, but also a radiation observation center in Chernobyl, the logistics group Maersk, the Dax group Beiersdorf and the US pharmaceutical company Merck & Co.
"All Risks" does not include all risks
The NotPetya infestation cost Maersk around $300 million.
Important data could only be restored because a single backup in Ghana happened to be disconnected from the grid at the time due to a power failure and was therefore not overwritten.
Merck even recorded losses of 1.4 billion dollars due to production downtime, the replacement of its computers and the costs for IT experts.
She wanted it reimbursed by his insurance company, Ace American.
After all, Merck had insured up to $1.75 billion against "all risks," including damage from data loss or destruction.
But Ace American stood in the way.
NotPetya, the insurance company argued, was an instrument of the Russian Federation and part of the ongoing hostilities against Ukraine.
And the exceptions to insurance against "all risks" state: "Loss or damage caused by acts of hostility or war in times of peace or war."
In 2019, Merck sued the insurance company, and now the judgment of the Superior Court of New Jersey has become known: the pharmaceutical company was right.
On the one hand, the decision is of great importance for how insurance companies and their customers will deal with future cyber attacks and their collateral damage.
On the other hand, it is by no means the end of the NotPetya story.
First of all, the court isn't even the supreme authority within New Jersey. Second, this is an interim judgment and does not yet oblige Ace American to pay $1.4 billion.
Third, the reasoning of the court is not one that finally clarifies whether something like NotPetya is an act of war. Rather, the insurance company simply failed to adapt its own definition of acts of war to modern times. The judgment states that the wording in these policies has been practically the same for many years. At the same time, both parties are aware of cyberattacks in various forms. “Nevertheless, insurance companies have done nothing to change the wording and to make the insured aware that cyber attacks are an exclusion criterion. They certainly would have had the opportunity to do so.« Merck therefore rightly assumed that »exceptions only apply to traditional forms of warfare«.
In other words, insurance companies know what hacker attacks look like these days, the consequences they can have and how difficult it is to prove government involvement or support.
What counts as a »cyber warfare« must be precisely regulated in their contracts.
Another verdict on NotPetya is still pending
"Cyber insurance will be more limited in the future," said Dr.
Lukas Olejnik, independent IT security researcher and former advisor to the International Committee of the Red Cross on cyber warfare issues, DER SPIEGEL.
For example, insurer Lloyd's recently introduced four new definitions "for use in commercial cyber insurance contracts."
In one of them, the assessment of the government of the state in which the affected computers are located is particularly decisive, as to whether a hacker attack was carried out by a foreign state or on its behalf.
Olejnik believes that this makes diplomatic and political decisions more important: "If certain governments continue to attribute cyber operations to other states, this could soon have financial consequences, at least in their own country."
Two companies in particular will now take a very close look at the judgment from New Jersey: the food manufacturer Mondelez and Zurich Insurance.
Mondelez was also among the NotPetya victims and put his loss at $180 million.
The group was insured for $100 million, and Zurich initially paid.
But then the insurance company refused further payments, again with reference to the exception for “acts similar to war in times of war or peace”.
Mondelez sued in 2018, a verdict is still pending.
