Story image

A system wiper with no recourse: Researchers discover what NotPetya attack was really after

05 Jul 2017

As the dust settles on the NotPetya attacks that flooded various parts of the world last week, security researchers have put the pieces together about what its true purpose was.

It is now being called a 'wiper', or a specific malware that erases all trace of data on systems. NotPetya went one step further by corrupting the Master Boot Record - a critical part of any system's boot process.

ESET senior research fellow Nick FitzGerald says that it was most likely a state-sponsored attack through malware - not unlike a recent spate of attacks against Ukrainian targets.

He believes that Diskcoder.C was initially attached to the tax accounting software MeDoc. In addition, further distribution through a watering-hole attack on a compromised Ukrainian news site also may have spread the malware.

In addition, NotPetya featured three other distinct tells that this may have been a targeted attack:

"Its LAN-only spreading mechanisms could be expected to largely contain its spread to the victims’ networks only. Diskcoder.C was made to appear to be a ransomware campaign although it is really a simple “disk killer”. Disk killers masquerading as ransomware have been used against Ukrainian targets before. And the coordination of both attacks in the previous examples would require considerable luck or the backing of substantial resources,” FitzGerald comments.

Digital Shadows' Rick Holland agrees. He believes it was likely a targeted attack.

"While the malware’s functionality has reportedly made it highly effective at propagating to machines within a local network, it has been reported as having no function for spreading outside of these local networks. It was therefore assessed as likely to be much more effective for conducting targeted attacks than WannaCry."

He specifically mentions that the ransom payment method wasn't about giving attackers revenue through ransom demands. Victim ID numbers were randomly generated, rather than derived from the encryption key. As a result, even if the victim had paid ransom and made contact, there would be no way for the attackers to provide the right decryption key.

With monetary gain as a motivation out the picture, the most likely motivation left for NotPeyta’s behavior is destructive malicious intent. Nation state actors conduct malicious cyber-attacks to fulfill geostrategic objectives. With this in mind, NotPeyta does demonstrate an advanced understanding of how to mount a wide spread hard hitting cyber-attack, and to capitalize on this attack with maximum media exposure," he says.

With regards to why, Holland believes that geopolitical context and target geography made Ukraine and Europe a ripe target.

"The initial attack occurred during the Ukrainian holiday celebrating independence from Russia. If one subscribes to the theory that Russian state or affiliated actors are responsible, this had the tactical effect of delaying a coherent response from Ukrainian defenders and strategically punishing Ukraine for its independence from Russia. Although these facts are interesting - and they do suggest that the malware was actively aimed at the Ukrainian economy - they are circumstantial and do not conclusively link the incident to any particular nation state. Attribution is and will continue to be a challenge," he says.

What's to come? Holland believes that the NotPetya campaign demonstrates that organisations need to prepare for all attacks, even ones that aren't specifically targeting their own organisations. With attack tools easier to come by, threat actors are getting more access to powerful tools.

Read more about NotPetya as it unfolded here.

Industrial control component vulnerabilities up 30%
Positive Technologies says exploitation of these vulnerabilities could disturb operations by disrupting command transfer between components.
McAfee announces Google Cloud Platform support
McAfee MVISION Cloud now integrates with GCP Cloud SCC to help security professionals gain visibility and control over their cloud resources.
Why AI and behaviour analytics should be essential to enterprises
Cyber threats continue to increase in number and severity, prompting cybersecurity experts to seek new ways to stop malicious actors.
Scammers targeting more countries in sextortion scam - ESET
The attacker in the email claims they have hacked the intended victim's device, and have recorded the person while watching pornographic content.
Cryptojacking and failure to patch still major threats - Ixia
Compromised enterprise networks from unpatched vulnerabilities and bad security hygiene continued to be fertile ground for hackers in 2018.
Princeton study wants to know if you have a smart home - or a spy home
The IoT research team at Princeton University wants to know how your IoT devices send and receive data not only to each other, but also to any other third parties that may be involved.
Organisations not testing incident response plans – IBM Security
Failure to test can leave organisations less prepared to effectively manage the complex processes and coordination that must take place in the wake of an attack.
65% of manufacturers run outdated operating systems – Trend Micro
The report highlights the unique triple threat facing manufacturing, including the risks associated with IT, OT and IP.