Before I get onto the main topic, the timeline seems to indicate that non-Coinbase engineers were also targeted by the attack given that, to paraphrase, it says: "Early June: people click link" and in a separate block "June 17: Coinbase employee clicks link". Using that reading, which may be mistaken, I concluded that it is non-targeted. If it is non-targeted then the fake Cambridge identities were presumably used on all targets which would then make it purely opportunistic as well. Luckily, even if my reading is incorrect, it does not affect the conclusion I wrote since it assumed the strongest possible interpretation of a targeted attack.
Onto the other topic, yes I agree there are probably no $30M attacks in the wild. This means that every attack that hits and breaches a company is less than the standard that I proposed. Given that essentially every major company using every combination security solution has been successfully attacked and the situation of continuous hacks has only gotten worse over the years, this supports my position. The lack of $30M attacks is most likely an indication of the immaturity of the attacker market. The fact that an entity can accidentally do $250M in damages to a company, get away with it, and nobody is trying to do that themselves all the time is plain incompetence in the criminal industry. To further support my point that the attacker market is immature, the number and size of economically-motivated attacks has been rapidly increasing over the years. 30 years ago, it was all pranks. 20 years ago it was all data loss. 10 years ago it was all cheesy $200/computer ransoms from consumers. Now we are seeing hospitals being ransomed for $1M. Given the cost of these attacks it is massively profitable at this stage to continue upping the ante.
I computed $30M by back-calculating from the damages with an extortion payment of $100M from an extortion damages of $300M. I think this is a reasonable analysis, but you are free to substitute your own numbers on those. If I wanted to give a forward-calculated number based on my knowledge of attack difficulty, I would say that a targeted attack by a competent adversary whose primary goal was to extort Maersk and researched how to actually do damage would be able to allocate ~$10M and cause ~$10B in damages. As for how they might do such damage, they could hack every ship in their fleet and crash them into each other or land. They hack the ships while they are at sea and crash them into cruise ships. They could take over the shipping cranes and drop containers incorrectly onto ships destroying them. They could make the shipping cranes operate in unsafe parameters destroying all of them. They could use the shipping cranes to drop containers on the employees. They could reorganize the shipping manifests subtly over a few weeks to violate shipping agreements that Maersk made. They could sit on every computer until backups are made and then take over the backup systems and destroy them then destroy all the existing systems and servers and wipe the shipping manifests. The list goes on.
If you want cases for other companies that might be desirable to attack with high extortion value:
An attacker could take over every 2019 Camry then wait until rush hour to engage the ABS so the brakes do not work, engage the cruise control to 120 MPH, then engage autosteer to turn slightly left (or right depending on your country). They would kills tens of thousands in 3 minutes which would completely irrevocably destroy Toyota.
An attacker could take over every internet connected GE stove with remote turn-on capabilities (they make these, seriously) and engage the gas at 3:00 AM then wait 30 minutes then ignite blowing up every house with the stove killing everybody inside while they are asleep and at least thousands worldwide which would completely irrevocably destroy GE.
An attacker could hit Merck (also hit by NotPetya for apparently ~$1.3B or more) by targeting one of their pharmaceutical plants to either vent and over-pressurize all of the chemicals so they explode into the nearby community or you could re-tune the chemistry to increase toxicity while preventing the automated QA systems from rejecting them which would both completely irrevocably destroy Merck. The list goes on.
Given the continuous failure to protect against attacks less than $10M by every company in every industry for decades I see no reason to give the benefit of the doubt to any of these companies, so I assert that not a single one of these companies can protect against an attack funded on the order of $10M where as the extortion value is in the tens to hundreds of billions and thousands of lives. I further assert that there is not a single well known company in the world that can do so and is willing to make that statement in a legally binding manner. And, even if they did so, that is still only minimally sufficient for unimportant industries. A thousand lives should not be subject to the whim of someone with $10M, that is criminally irresponsible in the actual sense where you should go to jail if you do that. For the cases I gave above, you probably need a number on the order of ~$100B on the low end.
> Using that reading, which may be mistaken, I concluded that it is non-targeted.
That's a wrong reading. The attackers were specifically targeting Coinbase employees although there were some instances where people with the same name and working in the same field (but not for Coinbase) got emails as well. The reason they say engineers clicked on a phishing link only on June 17 is precisely because it was a quality attack. The emails where personalized, written by literate English speaker and didn't contain any attachments or links at all initially. They only sent a link to an exploit after exchanging a few emails, confirming target's identity and establishing trusted relationship.
> Given the cost of these attacks it is massively profitable at this stage to continue upping the ante.
Sure, that's the general trend. But cost of the attacks also rises due to software becoming more security-aware. Just the fact that all major browsers and Windows 10 have auto-updates enabled by default (and hard to disable) has basically killed exploit kits, although that was a booming market less than a decade ago. Legitimate security job openings have exploded as well (including remote positions) with the HR focus shifting from costly certifications to practical skills, which gives would-be-hackers more possibilities to choose lighter hat to wear. Bug bounties are a thing now meaning people have new monetization opportunities for the vulns they discover. Twitter community has matured and there are more than 365 security conferences a year held globally, meaning angsty teens have so many more ways to establish their street creds besides dark corners of IRC and anonymous imageboards.
Your simplistic analysis ignores all these factors. It's like completely ignoring logistics, supply chain and risk management in real world, if you are one of these MBA types.
> allocate ~$10M and cause ~$10B in damages
Sure. Just like you can cause massive damages by causing forest fire in dry season with just a box of matches. In the context of our discussion such estimations are non-productive as 1) they ignore other costs and risks that attackers need to account for; and 2) ability to cause massive damage does not necessarily translate into ability to extract similarly massive profits from the situation.
> they could hack every ship (...)
The examples that follow are laughable. You clearly know nothing about these systems. That's like being afraid that someone will hack your laptop and give you cancer by manipulating display refresh rate. There certainly are problems with industrial control systems and critical infrastructure, but they are much more nuanced than the Hollywood-type hacking you predict. And no exploit is worth more than ~1M$ (apart from military thingies), because 1) there are always multiple ways to enter and as a result is the same attackers usually choose the path of the lowest resistance); 2) at that price you can buy an insider that will just run your stuff directly or plug an LTE-enabled rPI into the network. And for the vast majority of modern real-world attacks exploit is the most trivial/easiest/cheapest part. So well protected systems are designed in such a way that even malicious sysadmin would be able to do only so much damage before getting noticed and expelled from the network.
Onto the other topic, yes I agree there are probably no $30M attacks in the wild. This means that every attack that hits and breaches a company is less than the standard that I proposed. Given that essentially every major company using every combination security solution has been successfully attacked and the situation of continuous hacks has only gotten worse over the years, this supports my position. The lack of $30M attacks is most likely an indication of the immaturity of the attacker market. The fact that an entity can accidentally do $250M in damages to a company, get away with it, and nobody is trying to do that themselves all the time is plain incompetence in the criminal industry. To further support my point that the attacker market is immature, the number and size of economically-motivated attacks has been rapidly increasing over the years. 30 years ago, it was all pranks. 20 years ago it was all data loss. 10 years ago it was all cheesy $200/computer ransoms from consumers. Now we are seeing hospitals being ransomed for $1M. Given the cost of these attacks it is massively profitable at this stage to continue upping the ante.
I computed $30M by back-calculating from the damages with an extortion payment of $100M from an extortion damages of $300M. I think this is a reasonable analysis, but you are free to substitute your own numbers on those. If I wanted to give a forward-calculated number based on my knowledge of attack difficulty, I would say that a targeted attack by a competent adversary whose primary goal was to extort Maersk and researched how to actually do damage would be able to allocate ~$10M and cause ~$10B in damages. As for how they might do such damage, they could hack every ship in their fleet and crash them into each other or land. They hack the ships while they are at sea and crash them into cruise ships. They could take over the shipping cranes and drop containers incorrectly onto ships destroying them. They could make the shipping cranes operate in unsafe parameters destroying all of them. They could use the shipping cranes to drop containers on the employees. They could reorganize the shipping manifests subtly over a few weeks to violate shipping agreements that Maersk made. They could sit on every computer until backups are made and then take over the backup systems and destroy them then destroy all the existing systems and servers and wipe the shipping manifests. The list goes on.
If you want cases for other companies that might be desirable to attack with high extortion value:
An attacker could take over every 2019 Camry then wait until rush hour to engage the ABS so the brakes do not work, engage the cruise control to 120 MPH, then engage autosteer to turn slightly left (or right depending on your country). They would kills tens of thousands in 3 minutes which would completely irrevocably destroy Toyota.
An attacker could take over every internet connected GE stove with remote turn-on capabilities (they make these, seriously) and engage the gas at 3:00 AM then wait 30 minutes then ignite blowing up every house with the stove killing everybody inside while they are asleep and at least thousands worldwide which would completely irrevocably destroy GE.
An attacker could hit Merck (also hit by NotPetya for apparently ~$1.3B or more) by targeting one of their pharmaceutical plants to either vent and over-pressurize all of the chemicals so they explode into the nearby community or you could re-tune the chemistry to increase toxicity while preventing the automated QA systems from rejecting them which would both completely irrevocably destroy Merck. The list goes on.
Given the continuous failure to protect against attacks less than $10M by every company in every industry for decades I see no reason to give the benefit of the doubt to any of these companies, so I assert that not a single one of these companies can protect against an attack funded on the order of $10M where as the extortion value is in the tens to hundreds of billions and thousands of lives. I further assert that there is not a single well known company in the world that can do so and is willing to make that statement in a legally binding manner. And, even if they did so, that is still only minimally sufficient for unimportant industries. A thousand lives should not be subject to the whim of someone with $10M, that is criminally irresponsible in the actual sense where you should go to jail if you do that. For the cases I gave above, you probably need a number on the order of ~$100B on the low end.