A system wiper with no recourse: Researchers discover what NotPetya attack was really after
As the dust settles on the NotPetya attacks that flooded various parts of the world last week, security researchers have put the pieces together about what its true purpose was.
It is now being called a 'wiper', or a specific malware that erases all trace of data on systems. NotPetya went one step further by corrupting the Master Boot Record - a critical part of any system's boot process.
ESET senior research fellow Nick FitzGerald says that it was most likely a state-sponsored attack through malware - not unlike a recent spate of attacks against Ukrainian targets.
He believes that Diskcoder.C was initially attached to the tax accounting software MeDoc. In addition, further distribution through a watering-hole attack on a compromised Ukrainian news site also may have spread the malware.
In addition, NotPetya featured three other distinct tells that this may have been a targeted attack:
"Its LAN-only spreading mechanisms could be expected to largely contain its spread to the victims’ networks only. Diskcoder.C was made to appear to be a ransomware campaign although it is really a simple “disk killer”. Disk killers masquerading as ransomware have been used against Ukrainian targets before. And the coordination of both attacks in the previous examples would require considerable luck or the backing of substantial resources,” FitzGerald comments.
Digital Shadows' Rick Holland agrees. He believes it was likely a targeted attack.
"While the malware’s functionality has reportedly made it highly effective at propagating to machines within a local network, it has been reported as having no function for spreading outside of these local networks. It was therefore assessed as likely to be much more effective for conducting targeted attacks than WannaCry."
He specifically mentions that the ransom payment method wasn't about giving attackers revenue through ransom demands. Victim ID numbers were randomly generated, rather than derived from the encryption key. As a result, even if the victim had paid ransom and made contact, there would be no way for the attackers to provide the right decryption key.
With monetary gain as a motivation out the picture, the most likely motivation left for NotPeyta’s behavior is destructive malicious intent. Nation state actors conduct malicious cyber-attacks to fulfill geostrategic objectives. With this in mind, NotPeyta does demonstrate an advanced understanding of how to mount a wide spread hard hitting cyber-attack, and to capitalize on this attack with maximum media exposure," he says.
With regards to why, Holland believes that geopolitical context and target geography made Ukraine and Europe a ripe target.
"The initial attack occurred during the Ukrainian holiday celebrating independence from Russia. If one subscribes to the theory that Russian state or affiliated actors are responsible, this had the tactical effect of delaying a coherent response from Ukrainian defenders and strategically punishing Ukraine for its independence from Russia. Although these facts are interesting - and they do suggest that the malware was actively aimed at the Ukrainian economy - they are circumstantial and do not conclusively link the incident to any particular nation state. Attribution is and will continue to be a challenge," he says.
What's to come? Holland believes that the NotPetya campaign demonstrates that organisations need to prepare for all attacks, even ones that aren't specifically targeting their own organisations. With attack tools easier to come by, threat actors are getting more access to powerful tools.