On March 10th, 3.6 million websites went offline at the same time. Digital services provided by companies and governments were suddenly unavailable to millions of Internet users. The incident was sparked by a fire at three Strasbourg data centers owned by OVHCloud, a French cloud computing company and the largest website hosting provider in Europe. Thankfully, there was no one physically injured or killed in the fire. Nevertheless, large-scale data center outages are catastrophic cyber events with a myriad of adverse financial and security consequences.
Below, we detail three cyber insurance takeaways from the OVHCloud fire.
One large-scale data center can serve thousands of customers and those customers can serve thousands (or even millions) of their own customers. When one data center goes down, it will take a significant portion of the Internet with it. According to Network monitor site Netcraft, the OVHCloud fire had the greatest impact on country code top-level domains (ccTLD) for France, or websites ending in “.fr”. The fire took down over 184,000 French websites, which is roughly 1.9% of all .fr domains in the world. Websites that went offline globally included banks, email services, news sites, online shops selling COVID-19 protective gear, and several countries’ government websites.
It is worth noting that this is just the latest instance of one of the world’s largest commercial cloud computing providers being vulnerable to downtime. The OVHCloud fire is only the most recent example of a large-scale cloud computing company going offline. In November 2020, Amazon Web Services, the world’s largest cloud provider, experienced a major outage in its US-EAST-1 data center. Weeks later, Google’s primary authentication system for its entire Cloud Platform went down. Many companies were impacted by both cloud outages.
These events are relevant as they demonstrate that data centers are SPOF. CyberCube has focused on SPOF, creating a database that can help (re)insurers develop an edge in cyber portfolio management by obtaining insights on SPOF and their connectivity with risks in a portfolio.
SPOF intelligence can help create new insurance products that have terms and conditions tied to SPOF such as data centers and cloud providers, inform underwriting strategies by optimizing exposure to SPOF based on risk appetite, and quickly understand potential exposure and claims arising from recent or ongoing catastrophic SPOF incidents.
Most cloud providers including OVHCloud, Amazon, Google and Microsoft all have an array of cloud security services that are not automatically included in their products. Knowing which security services are included and which are not is key to mitigating cyber risks. For example, some OVHCloud customer’s data was destroyed in the fire without any backup. These OVHCloud customers were running their own dedicated bare metal servers instead of virtual servers. OVHCloud was not maintaining any back-up data for its customers using bare metal servers. The popular online gaming company Rust saw all of its European bare metal servers destroyed in the fire, each of which could serve up to 10,000 users during peak time.
According to cyber security firm Kaspersky Lab, the OVHCloud fire also took down computing resources for several nation state advanced persistent threats (APTs) and criminal hacking groups. These attackers will rent server space from companies like OVHCloud to launch cyber attacks. Attacker controlled servers - called Command and Control Servers or C2 - are often used in cyber attacks to deliver and control malware, exfiltrate data, and more. Costin Raiu, the Director of the Global Research and Analysis Team (GReAT) at Kaspersky Lab, said there were 140 OVHCloud servers used by cyber criminals and APTs that he and his colleagues were tracking at the time of the OVHCloud fire. Raiu said that 36% of the attackers’ servers they were tracking went up in flames. One of the most popular illegal content streaming websites in Israel also went offline.
APTs and cyber criminals can easily find new C2 servers from which to conduct their attacks. The OVHCloud fire is likely just an unfortunate hiccup in any sophisticated cyber criminal campaign that leveraged OVHCloud servers. Security researchers like those at Kaspersky Lab will take time to re-find and track the same attackers on new infrastructure. In fact, the OVHCloud fire was a clean refresh for attackers, and a hard restart for defenders.