Subscribe to the Blunt Force Truth podcast

Russians Suspected In NotPetya Malware Attacks

Data-destroying cyber attacks mimic ransomware

A recent international cyber attack that began in Ukraine involved sophisticated malware called “NotPetya” and was likely carried out by the Russian government or hackers associated with Moscow, according to U.S. officials and private security researchers.

The malware masquerades as ransomware—programs that scramble data inside penetrated computers and then demand payment from victims to unscramble the data. But in reality the latest global outbreak was the work of data-destroying hackers seeking to undermine Ukraine’s economy.

The latest outbreak was described as a variant of a true ransomware program called Petya but has been dubbed NotPetya by the U.S. government and private researchers.

NotPetya’s first attacks took place June 27 in Ukraine, causing widespread computer network failures ranging from the National Bank of Ukraine to the radiation detection center at the Chernobyl nuclear reactor. The reactor exploded in 1986 causing widespread destruction. The entombed debris is not under constant surveillance.

“I don’t think there is any doubt that NotPetya was released as a form of economic sabotage,” said a cyber security researcher closely involved in mitigating the malware attacks. “Whether there was a state unit or contracted patriots is not clear.”

The security researcher who spoke on background described NotPetya as an “extremely sophisticated” virus that exploits software flaws in the Windows operating system first disclosed by a hacker group called Shadow Brokers. The group claims to have stolen the computer vulnerability from the National Security Agency, the nation’s most sophisticated cyber espionage service.

NotPetya was initially assessed by Department of Homeland Security cyber security officials to be similar to what is called the WannaCry ransomware. That malware was used in international cyber attacks in May that disrupted healthcare networks in Britain and a large number of other computer networks around the world.

WannaCry in turned is believed to be a variant of ransomware called Petya that works by extorting targeted companies to pay for decrypting forcibly scrambled data.

“This new variant of the Petya virus, called NotPetya, was unlike the original virus: NotPetya has no ability to reverse the decryption dependent on whether a ransom is paid; it simply deletes files, putting it in a genre called ‘wiper virus,'” says a State Department security report on the virus.

According to the report by the Overseas Security Advisory Council, that support American companies overseas, the large-scale malware infection began with a software update of a Ukrainian accounting program called M.E. Doc. Use of the M.E. Doc allowed the computer virus to spread easily throughout the Ukrainian government and private sector networks.

“The maker of M.E. Doc has been accused of disregarding cyber security threats, and is now under investigation by the Ukrainian Cyber police unit,” the report said.

“The attack spread to several state-owned enterprises, such as Boryspil International Airport, Ukrtelecom, Ukrposhta, State Savings Bank of Ukraine, Ukrainian Railways, and Chernobyl’s radiation monitoring system.”

The Kiev government denounced the attack as cyber terrorism and on July 4, authorities announced that another cyber attack involving NotPetya had been thwarted.

Security researchers estimate that 60 percent of those impacted by the cyber attack were in Ukraine while 30 percent affected networks in Russia, with the remaining 10 percent hitting networks in 64 other nations.

Russia in the past has engaged in what the Pentagon calls “hybrid warfare” operations against Ukraine, including the use of cyber attacks on the Ukrainian voting system in 2014 and an unprecedented cyber attack on the Ukrainian electric power grid in 2015 and 2016.

The impact of NotPetya was significant. The French building materials company Saint-Gobain said it suffered $230 million in lost sales, while the Danish shipping company A.P. Moller-Maersk halted shipping operations from Mobile, Alabama, to Mumbai, India.

The Heritage Valley Health System, health care network in western Pennsylvania was among the infected systems, limiting diagnostic resources for two days.

The global malware outbreak also hit the New Jersey-based pharmaceutical company Merck, the nation’s second-largest drugmaker.

Researchers found that the malware encrypts the first megabyte of files containing 67 different extensions but did not appear to affect other disks.

“This is a mess and it is a deliberate attack against Ukraine and their supporters,” the security researcher said.

Raj Samani, chief scientist at the cyber security firm McAfee, told the CyberWire podcast that NotPetya posing as ransomware was unusual.

“You can argue that WannaCry may have been a ransomware campaign and there are certain indications to suggest that they at least had some mechanism to communicate with victims,” Samani said.

However, in NotPetya, “it would appear that this is a campaign to cause destruction,” he said.

Linking the attack to a specific actor has been difficult, Samani noted.

“With Petya/NotPeya, you know I’m kind of using terms like ‘maybe’ and ‘probably,'” Samani said. “And certainly we think it was a campaign meant to disrupt the Ukraine.”

In addition to the Danish shipping company, other firms hit by NotPetya included public relations firms and advertising companies.

Samani said the spate of incidents over the past few months has been what he called “insane.”

“It appears that we’re veering from crisis to crisis to crisis,” he said.

The reason is that modern societies have been very dependent on technology.

“Our reliance on technology is almost ubiquitous now and it’s going to continue as well,” Samani said.

The State Department report said the servers at the company that produces M.E. Doc have been seized by Ukrainian authorities and the online accounting firm is under criminal investigation for neglect. The company, Intellect Service, reportedly disregarded several warnings about security vulnerabilities of its software.

The report said the NotPetya attack was likely “state-sponsored” based on the target and methods used.

“NotPetya was notable in that it had only one method by which ransom payers were to receive their unlock codes, which was quickly shut down,” the report said.

However, the personal key listed on each affected computer screen was found to have been randomly generated and not linked to any specific computer. As a result, there was no way for the hackers to send out decrypt codes and release the locked systems from the attack.

“These elements point towards a more sophisticated attack designed to shut down systems and likely have a psychological impact; not merely to make money off of holding business files hostage,” the report said.

“The complexity of this program and scale of the attack indicates to some cyber security experts that it most likely was state sponsored.”

The report did not identify the state sponsor.

The NSA vulnerabilities stolen by the Shadow Brokers were called “eternalblue” and “eternalromance.”

“We are in a new phase of cyber security and the way that sophisticated actors behave,” Leo Taddeo, a former FBI cyber investigator and executive with cyber security firm Cyxtera Technologies, told Reuters.

“I can’t think of a supply chain attack that has been this thorough.”

Russia denied any role in the NotPetya attack and a Trump administration official also said the U.S. government is not prepared to blame Moscow.

An online news outlet called Motherboard reported that hackers behind the NotPetya attack had posted an offer to unlock all affected computers for a bitcoin payment of $256,000.

NotPetya malware only affects older Microsoft Windows operating systems that have not been patched with security updates to eliminate the eternalblue flaw.

(First reported by The Washington Free Beacon)   (July 19, 2017)

Want more BFT? Leave us a voicemail on our page or follow us on Twitter @BFT_Podcast and Facebook @BluntForceTruthPodcast. We want to hear from you! There’s no better place to get the #BluntForceTruth.