One of the largest insurance firms in the US CNA Financial was reportedly hit by a “sophisticated cybersecurity attack” on 21 March 2021. The cyber-attack disrupted the company’s employee and customer services for three days as the company shut down “out of an abundance of caution” to prevent further compromise.
Founded in 1967, the Loews Corp subsidiary is among the top 10 cyber insurance companies and the leading 15 casualty and property insurers in the US. It employs about 5,800 workers and reported annual revenue of over $10 billion in 2020. CAN posted a statement on its website notifying the public that it “sustained a sophisticated cybersecurity attack. The cyber-attack caused a network disruption and impacted certain CNA systems, including corporate email.” The cyber insurance firm added that it engaged forensic experts and law enforcement in its investigations. “Upon learning of the incident, we immediately engaged a team of third-party forensic experts to investigate and determine the full scope of this incident, which is ongoing. We have alerted law enforcement and will be cooperating with them as they conduct their own investigation.”
Analysts are concerned about policyholders’ data leak after the cyber-attack. CNA financial did not notify potential victims because it could not determine if the attackers stole any data. “Should we determine that this incident impacted our insured or policyholders data, we’ll notify those parties directly,” CNA stated. Further, CAN initiated mitigation efforts to alleviate the disruption caused by the cyber-attack. “We’ve notified employees and provided workarounds where possible to ensure they can continue operating and serving the needs of our insureds and policyholders to the best of their ability.”
A researcher at Coalition said a nightmare scenario would be if the attackers stole policyholders’ data. He noted that accessing the data could help hackers determine which companies had applied for or acquired cyber insurance, the scope of coverage, and the limits of deductibles. Ransomware operators could use that information during negotiations after compromising the cyber insurance policyholders. They could use the information to set optimal ransom demands matching the policyholders’ cyber insurance coverage. Thus, informing any compromised parties would help them understand their negotiating position if a ransomware cyber-attack compromised their network.
If the black hat hackers stole any data, they could use that information to target the policyholders for their ability to pay because of the cyber insurance backing. Additionally, accessing their information could help the attackers craft convincing phishing messages, thus increasing the probability of success. Similarly, various cyber insurance policy disclosures could enable hackers to fine-tune their attacks to fit specific clients’ cyber defenses and weaknesses.
On 1 April 2021, CNA said it had restored mail functionality protected by two-factor authentication and a threat-blocking “security platform.” April 1st is traditionally ‘April Fool’s Day,’ but this is no joke. CNA also published its forensic investigation report findings. CNA disclosed that the ransomware used during the cyber-attack could not automatically propagate through internal and external systems.
Responding to the cyber-attack on CNA Financial, ImmuniWeb is now downplaying the risk posed by leaked policyholders’ data. “I think, today it’s premature to talk about a major spike in attacks targeting insurance firms with a purpose to steal lists of customers who have cybersecurity insurance,” says a spokesman. “It may appear intuitive to attack victims who have cyber insurance. However, this does not necessarily require hacking into insurance firms.” Many companies readily disclose having cyber insurance to boost customer and investor confidence. Cybercriminals prefer to spend the least time and effort by targeting low-hanging fruits for a quick payout. “More sophisticated cyber gangs do carefully select their victims in ransomware campaigns but it’s unlikely whether cyber insurance cover for a victim will play a major role in the process.”
Cerberus Sentinel, disagrees. “We (I) expect to see service providers increasingly targeted by cybercriminals. After all, why spend time trying to compromise a hundred different companies individually when you can compromise them all at once by targeting their provider?” they said. Similarly, Gurucul company believes that insurance agencies are attractive targets for cybercriminals. And added, “If an attacker can extract a list of clients who have cyber-attack insurance, those clients, in turn, become inviting targets themselves. Since they have insurance they are seen as more likely to pay off a ransom. It’s a win-win [situation] for the attackers and a lose-lose [situation] for everyone else.”
It is urged that cybersecurity should extend beyond taking a cyber insurance cover. Companies cannot solely rely on cybersecurity products - noting that no organization is safe from cybercriminals, he advises them to adopt a culture of security from the top leadership down to operations. Almost all organizations recently breached had various security products.
Red Sky Alliance has been has analyzing and documenting these type of cyber threats for 9 years and maintains a resource library of malware and cyber actor reports available at https://redskyalliance.org at no charge. Ransomware continues to lead the way as a malware of choice to attack, now the insurance industry. Red Sky Alliance can provide actionable cyber intelligence and weekly black-lists to help protect your network. We even can provide cyber insurance solutions.
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments or assistance, please contact the lab directly at 1-844-492-7225, or email@example.com
Weekly Cyber Intelligence Briefings:
- Reporting: https://www.redskyalliance.org/
- Website: https://www.wapacklabs.com/
- LinkedIn: https://www.linkedin.com/company/64265941
Weekly Cyber Intelligence Briefings:
REDSHORTS - Weekly Cyber Intelligence Briefings