M&A Due Diligence: Supply Chain Tales, or Beware of the Fancy Bear
By Bill Vinck, Excendio Advisors
Background
Recently Russia, at war with Ukraine, designed and launched a cyber-attack intended to disrupt both the Ukrainian government and Ukrainian-based businesses. They built the method of attack around an interesting attack vector: accounting software.
The attack planners noticed that many target entities used a common accounting software package called M.E. Doc which is a product of a Ukrainian software firm called the Linkos Group. M.E. Doc, of course, was updated periodically and certified updates were automatically recognized by the client’s firewalls, and the version was then updated on the client’s server. This approach is common to software package providers worldwide. But how secure was M.E. Doc?
Fancy Bear Arrives
It turns out M.E. Doc was not very secure. The attack plan was simple. First, hack into the M.E. Doc server. Next, exploit a known vulnerability in Microsoft server software, and add a tool to hack passwords. Finally, give the intruder package the instructions to move to every device to which the update program is connected, and to erase all software found on those devices.
Results
“Fancy Bear” is the nickname given to Russia’s military intelligence hacking unit and the results were significant. The attack destroyed about 10% of all computers in Ukraine including many government agencies, numerous financial institutions and other facilities such as hospitals. Round 1 goes to the Russians.
No Bad deed goes Unrewarded
Whether intended or not, the digital border did not and does not end at the Ukrainian or any national border. The intruder was named “NotPetra” by cyber analysts who notice a structural similarity between it and an earlier attack vehicle named “Petra”. During this attack, NotPetra proliferated throughout large parts of the world including the US and Europe. This was done due to the fact that global firms operating in Ukraine were still connected by their company VPN’s to their operations in other parts of the world. That set of connections led to the proliferation of NotPetra.
Did Fancy Bear want to wipe devices in the rest of the world? Russian military intelligence has not commented on this. In any event, they damaged a great deal more than just Ukrainian based institutions.
Supply Chain Due Diligence and M&A
You might say that while this is a perhaps interesting story the relevance to M&A due diligence is unclear. However, consider this scenario. Your firm is involved in an M&A transaction either as a buyer or seller. An attack such as the NotPetra occurs and is not directed at you. In fact, your existence is unknown and irrelevant to Fancy Bear. But nonetheless your devices are wiped clean simply because you’re part of a network which is presumed to be secure.
M. E. Doc was the vector of this intrusion. What did the Linkos Group do wrong? Their platform was hacked, and they seemed not to notice. Sadly, most firms have been hacked. M.E. Doc ran vulnerable Microsoft server software but was probably unaware of the vulnerability. Was Microsoft aware? Did they disclose? After the post attack analysis, one can assume that both firms took action.
Lessons to Consider:
- Your firm and any firm you wish to acquire is embedded in a set of networks. The security of those networks is as important as the security of the target firm you hope to acquire. How do you gauge that security?
- Supply Chain Digital Security should be a major review topic in your next M&A project.
- A moments reflection would suggest that supply chain digital security is, however, a potentially a very complex topic.
- Lastly, should your pre-acquisition cyber review be positive, take only temporary solace, as the Bear (and his friends) never sleep.
In subsequent posts, we’ll review these due diligence topics in more detail.