arrow-line asset-bg bars-line calendar-line camera-line check-circle-solid check-line check-solid close-line cursor-hand-line image/svg+xml filter-line key-line link-line image/svg+xml map-pin mouse-line image/svg+xml plans-businessplans-freeplans-professionals resize-line search-line logo-white-smimage/svg+xml view-list-line warning-standard-line
Articles

Collateral Damage: Notpetya Takes Russia's Cyber War Global

Notpetya Cyber attack
On 27 June, thousands of screens across Ukraine began showing sinister red writing as the so-called ‘NotPetya’ malware spread across the country. Soon after, businesses across the world were reeling from the second global cyber-attack in as many months in 2017. As the dust settles from the attack, security researchers have gone to work untangling who was behind the attack. Mounting evidence points to an unsettling conclusion: NotPetya may be the latest episode in an ongoing experiment of cyber warfare conducted by Russian government-backed hackers in Ukraine.

How did it start? 

The NotPetya infection started with a software update delivered to customers using MeDoc, a Ukrainian accounting software product. From there, it rapidly spread across networks by using a combination of hacking tools leaked from the US National Security Agency (NSA), and code which exploits Microsoft file sharing tools to steal passwords from an infected computer’s memory. This second method of spreading made NotPetya particularly dangerous. A single computer without up to date security features could be used to infect other, more secure machines on the same network by using the stolen passwords. Digital forensics experts have estimated that NotPetya was able to spread through country networks in a matter of minutes, and on a global scale in a matter of hours. 

Ukrainian organisations from Kiev’s Metro system and Boryspil airport, to the deputy prime minister’s office were hit hard by the attack. According to some estimates, over 60 percent of computers infected with NotPetya were in Ukraine, where MeDoc is one of only two authorised software products for government tax returns. There can be no doubt that Ukraine was the prime target of this attack. However, after spreading across Ukraine, the malware used passwords stolen from infected machines to spread globally, causing widespread collateral damage. At a final tally, it is estimated that over 10,000 computers in over 50 countries had their files encrypted, paralysing government bodies and businesses alike. 

A wiper or ransomware?
 
As the victims of NotPetya recover from the initial shock, forensic teams have dug into NotPetya’s code, only to find a nasty surprise. Hidden behind the red ransom message was NotPetya’s true purpose: to destroy data and disrupt the operations. Specialists discovered that during the process of infection NotPetya would overwrite the master boot record, the part of a computer responsible for giving instructions on how to start up, before then encrypting files. However, they discovered that bugs in the encryption process would mean that in many cases, victims paying for a decryption key would likely have found it useless in recovering data. Indeed, following the attack Forbes, the business magazine, tested a master decryption key put on sale by the attackers on the dark web for around $250,000, and found that the key could only decrypt certain files, not the infected hard drives.

Another unusual characteristic of the attack was that the perpetrators initially used a single email account for receiving messages proving payment of the ransom before auctioning the master key on the dark web. Unsurprisingly, the NotPetya attackers’ account was almost immediately suspended by the email provider, cutting victims’ line of communication with the attackers and making it impossible to request the decryption key. This was a poor imitation of the typical modus operandi of ransomware attacks which create custom email accounts for each victim.

The weakness of the attackers’ payment system was in complete contrast to the sophisticated design of the malware’s infection and spreading methods, leading to a growing consensus amongst security researchers that the NotPetya attack was not in fact motivated by financial gain. Researchers have called for NotPetya to be re-categorised as part of a growing trend of attacks masquerading as ransomware which are actually ‘wipers’, a type of malware designed to destroy or permanently deny access to data. Such attacks are often suspected to be state-sponsored due to their failure to make money for attackers.

Who was behind it?

With the financial motivations of traditional cybercriminals ruled out, speculation has grown that NotPetya was designed with either political motivations, or to prove a point by hacking groups in it ‘for the lulz’. The concept of ‘lulz’, an internet shorthand for ‘laughs’ usually involves a critique of society’s lack of internet savviness or has consequences considered by the perpetrators to be interestingly shocking or humorous. No such motivation has come to light so far in relation to the NotPetya attack and politically, only one country obviously stands to gain from disruption in Ukraine: Russia. 

Fingerprints can be found in the attack’s timing, origin and apparent target. Since the 2014 annexation of Crimea, Russia has been engaged in an ongoing campaign of hybrid warfare in Ukraine, employing misinformation and cyber arms alongside conventional military involvement to secure its new territory. The destabilisation of Ukraine through NotPetya seems well aligned with this strategy. By targeting the MeDoc software, NotPetya punished not only Ukrainian organisations, but also international companies doing business in the country, while playing smoke and mirrors with the identity of its creators. NotPetya also follows a string of cyber-attacks targeting Ukrainian businesses and critical infrastructure, the most significant of which include two blackouts caused by sophisticated hacking and affected hundreds of thousands of Ukrainians just before Christmas in both 2015 and 2016. The NotPetya attack came pointedly a day before Ukraine’s Constitution Day, a public holiday celebrating the adoption of a national constitution five years after independence from the Soviet Republic of Russia. 

So far, a number of groups have gone on record accusing Russian involvement in the attack. Both Ukraine's security service (SBU), and ESET, a Slovenian cyber security firm, have publicly stated that they believe the NotPetya malware was created by the same group allegedly to be behind the December 2016 blackout in Ukraine, known as ‘Sandworm’ or alternatively as ‘Telebots’. ESET’s view has also been echoed by FireEye, a leading US cyber security company which is an authority on the group, which it links to Russian government backers. Sandworm is allegedly a repeat offender and is believed to be behind recent alleged cyber-attacks on EU and NATO officials. 

In response to these allegations, a Kremlin spokesman dismissed the claims as "unfounded blanket accusations”. Critics of those who accuse Russia also point to the fact that Russian companies suffered the second highest number of infections NotPetya after Ukraine, the most significant example being Rosneft, the state-controlled oil company. However, it is entirely feasible that the Russian companies were hit because NotPetya spread further than was intended. It would also not be the first time that Russian covert operations have accepted a degree of collateral damage at home to create a smokescreen of plausible deniability.

Weighing up retaliation
 
Whether guilty or not, the Ukrainian SBU’s accusations have put Russian, and more widely, state-sponsored cyber operations in the spotlight. Amid serious allegations of Russia’s interference in the 2016 US presidential elections and fears of similar attempts to influence the upcoming German elections, Russia’s alleged cyber operations are being taken seriously at an international level. NATO spokespersons have said that NotPetya “could most likely be attributed to a state actor”, and likely represents a “declaration of power; a demonstration of acquired disruptive capability and readiness to use it.” The seriousness of this analysis has sparked discussions about the possibility of retaliation, either with cyber or conventional military action, should a NATO member state be the subject of a state-sponsored cyber-attack. This has been echoed by a number of world leaders who have reemphasised their commitment to retaliate against cyber-attacks either in kind or with conventional military action. However, in practice significant retaliations against cyber-attacks have been few and far between, as countries have struggled to justify response in the face of the legal challenges of attributing responsibility for attacks. As a result, more state-sponsored hacks like NotPetya are likely to come, emboldened by the success of NotPetya and the global WannaCry ransomware attack of May 2017. 

The fallout

Outside the political sphere of NotPetya’s significance in the context of Russian aggression in Ukraine, the fallout of NotPetya poses a serious security challenge for businesses that are increasingly being caught in the crossfire of politically motivated cyber sabotage. The consequences of failing to act are severe, with multinational organisation which were victims of NotPetya claiming financial losses of up to £100 million. In the face of these threats, many businesses that previously believed themselves to be prepared against traditional levels of cyber-attacks are revaluating their cyber security needs. Re-evaluation of how quickly security updates must be applied and the possibility of having networks in geopolitical centres of hybrid conflict isolated from global networks are all measures under consideration. Fortune will favour those with the foresight to act now, as the new world order of hybrid warfare and cyber aggression gains pace.

S-RM’s GSI is the simplest way to get a fresh perspective on the security risks affecting you, your work, and your travel.