In the ever-evolving landscape of cybersecurity threats, one incident that sent shockwaves through the global community was the NotPetya attack. This sophisticated malware initially thought to be a ransomware attack, turned out to be a destructive cyber weapon with far-reaching consequences. In this blog post, we will dive into the NotPetya attack, exploring its origins, methods, and the damage it caused.
The Back Story
The NotPetya attack, which occurred in June 2017, initially appeared to be Ransomware. (To learn about Ransomware, read this blog). On that day, Kaspersky Lab documented instances of infections in France, Germany, Italy, Poland, the United Kingdom, and the United States. However, the predominant focus of the infections was on Russia and Ukraine. Over 80 companies were attacked initially including the National Bank of Ukraine. ESET (ESET is a software company specialising in cybersecurity) estimated on 28 June 2017 that 80% of all infections were in Ukraine, with Germany second hardest hit with about 9%.
The malware was disguised as a Ransomware variant known as Petya, (Petya is a family of encrypting malware that was first discovered in 2016. The malware targets Microsoft Windows–based systems, infecting the master boot record to execute a payload that encrypts a hard drive’s file system table and prevents Windows from booting), which encrypts a victim’s files and demands a ransom for their release. However, as cybersecurity experts inquired deeper into the incident, it became evident that this was not a typical ransomware attack.
It was believed that a patch of a Ukrainian tax preparation program (M.E.Doc) had been compromised to spread the malware [1]. On July 4, 2017, Ukraine’s cybercrime unit took control of the company’s servers upon identifying “fresh activity” deemed likely to lead to the uncontrolled proliferation of malware. Ukrainian law enforcement recommended that M.E.Doc users cease utilising the software, as they suspected the continued existence of a backdoor [2]. Analysis of the seized servers revealed a lack of software updates dating back to 2013, indications of Russian involvement, and the compromise of an employee’s account on those servers. The head of the units warned that M.E.Doc might face legal repercussions for facilitating the attack due to negligence in securing their servers.
The Intention
The primary purpose of NotPetya was not financial gain through ransom payments, as is typical in ransomware incidents. Instead, it was designed as a destructive cyber weapon with the intent to cause widespread disruption and damage, particularly targeting critical infrastructure and organisations in Ukraine.
The Propagation Technique
NotPetya displayed a rarely witnessed experience in cyber threats. It utilised multiple propagation techniques, including exploiting a vulnerability in Microsoft’s Windows operating system called EternalBlue. This vulnerability, initially discovered by the U.S. National Security Agency (NSA), was later leaked by a hacking group known as the Shadow Brokers. The attackers weaponised this exploit, enabling NotPetya to rapidly spread across networks, both within and beyond Ukraine.
The Aftermath
The problems from NotPetya spreaded worldwide very fast. Big companies that worked internationally and had connections to Ukraine or used the same computer networks faced serious issues. Well-known corporations like Maersk, Merck, and FedEx had major troubles running their businesses, leading to huge financial losses in the billions of dollars. The lesson learned from the NotPetya attack was that it prompted a global wake-up call, leading to increased awareness of cybersecurity threats and a renewed focus on strengthening defences. Governments tightened regulations, businesses invested in better security measures, and individuals became more cautious about their online activities. The recovery from NotPetya was long. Affected organisations spent months rebuilding systems and restoring lost data. The financial losses were shocking, and the impact on critical services was deeply felt.
For further reference,
