Story image

A system wiper with no recourse: Researchers discover what NotPetya attack was really after

05 Jul 17

As the dust settles on the NotPetya attacks that flooded various parts of the world last week, security researchers have put the pieces together about what its true purpose was.

It is now being called a 'wiper', or a specific malware that erases all trace of data on systems. NotPetya went one step further by corrupting the Master Boot Record - a critical part of any system's boot process.

ESET senior research fellow Nick FitzGerald says that it was most likely a state-sponsored attack through malware - not unlike a recent spate of attacks against Ukrainian targets.

He believes that Diskcoder.C was initially attached to the tax accounting software MeDoc. In addition, further distribution through a watering-hole attack on a compromised Ukrainian news site also may have spread the malware.

In addition, NotPetya featured three other distinct tells that this may have been a targeted attack:

"Its LAN-only spreading mechanisms could be expected to largely contain its spread to the victims’ networks only. Diskcoder.C was made to appear to be a ransomware campaign although it is really a simple “disk killer”. Disk killers masquerading as ransomware have been used against Ukrainian targets before. And the coordination of both attacks in the previous examples would require considerable luck or the backing of substantial resources,” FitzGerald comments.

Digital Shadows' Rick Holland agrees. He believes it was likely a targeted attack.

"While the malware’s functionality has reportedly made it highly effective at propagating to machines within a local network, it has been reported as having no function for spreading outside of these local networks. It was therefore assessed as likely to be much more effective for conducting targeted attacks than WannaCry."

He specifically mentions that the ransom payment method wasn't about giving attackers revenue through ransom demands. Victim ID numbers were randomly generated, rather than derived from the encryption key. As a result, even if the victim had paid ransom and made contact, there would be no way for the attackers to provide the right decryption key.

With monetary gain as a motivation out the picture, the most likely motivation left for NotPeyta’s behavior is destructive malicious intent. Nation state actors conduct malicious cyber-attacks to fulfill geostrategic objectives. With this in mind, NotPeyta does demonstrate an advanced understanding of how to mount a wide spread hard hitting cyber-attack, and to capitalize on this attack with maximum media exposure," he says.

With regards to why, Holland believes that geopolitical context and target geography made Ukraine and Europe a ripe target.

"The initial attack occurred during the Ukrainian holiday celebrating independence from Russia. If one subscribes to the theory that Russian state or affiliated actors are responsible, this had the tactical effect of delaying a coherent response from Ukrainian defenders and strategically punishing Ukraine for its independence from Russia. Although these facts are interesting - and they do suggest that the malware was actively aimed at the Ukrainian economy - they are circumstantial and do not conclusively link the incident to any particular nation state. Attribution is and will continue to be a challenge," he says.

What's to come? Holland believes that the NotPetya campaign demonstrates that organisations need to prepare for all attacks, even ones that aren't specifically targeting their own organisations. With attack tools easier to come by, threat actors are getting more access to powerful tools.

Read more about NotPetya as it unfolded here.

ForeScout acquires OT security company SecurityMatters for US$113mil
Recent cyberattacks, such as WannaCry, NotPetya and Triton, demonstrated how vulnerable OT networks can result in significant business disruption and financial loss.
Exclusive: Fileless malware driving uptake of behavioural analytics
Fileless malware often finds its way into organisations via web browsers (or in combination with other vectors such as infected USB drives).
'DerpTrolling’ faces jail time for Sony DoS attacks
A United States federal court has charged a 23-year-old man for the hacks on Sony Online Entertainment and other major companies back in 2014.
It's time to rethink your back-up and recovery strategy
"It is becoming apparent that legacy approaches to backup and recovery may no longer be sufficient for most organisations."
Dropbox strengthens security with raft of new partnerships
Integrations will keep customer content protected and secure with tools for controlling identity access, governing data, and managing devices.
Companies swamped by critical vulnerabilities – Tenable
Research has found enterprises identify 870 unique vulnerabilities on internal systems every day, on average, with over 100 of them being critical.
Don’t let your network outgrow your IT team
"IT professionals spend less than half of their time at work optimising their networks and beefing it up against future security threats."
Three access management trends making waves in APAC
Consumer identity proofing, authentication, and authorisation will top the $37 billion value mark by 2023.