As a new addition to the 10Fold team, as well as being new to the cybersecurity practice in general, it has been important for me to monitor the news on a daily basis in order to get familiar with trending topics and identify what it is my clients can speak to with authority. Although many stories have caught my eye in the last two months since I started these daily news sweeps, the NotPetya cyber attack stood out to me above all others.
Peyta/NotPetya/ExPetr/GoldenEye is an ongoing cyberattack that started Tuesday, June 26. It began with a cyberattack in Kiev, Ukraine, where this malware went on to hit around 2,000 computer systems, specifically targeting computers running the Microsoft Windows Operating system. While many people originally believed it to be a form of ransomware similar to the recent ‘Petya’ attacks, this malicious software has been categorized as a “wiper.” It’s designed to cause mayhem and wipe computers – and is not actually ransomware – which is why this ongoing attack has adopted so many names. It’s similar, but also different in a lot of ways.
Although there were corporations and public sector agencies affected in more than 65 countries all over the world, Ukraine and Russia were hit the hardest, including Ukraine government ministries, banks, utilities, telecom operators, an airport and other major companies. Also attacked were Russian oil giant Rosneft and Russian web security firm group-IB. Computers at the Chernobyl nuclear plant were compromised as well, forcing workers to manually monitor radiation levels, which have their own inherent security and safety challenges. Others hit include companies in the UK, Germany, China and U.S., British advertising giant WWp, French Industrial group Saint-Gobain, Shipping giant A.P. Moller-Maersk, Cadbury, pharmaceutical companies, hospitals and many more.
What was interesting about Petya was that after encrypting files on the PC, it demanded $300 worth of Bitcoin Cryptocurrency in order to supposedly unlock them. It turned out that as the story evolved, the ransomware was later categorized as a wiper, as previously stated, and the computer’s’ files were completely destroyed. Some security experts claim that this attack is more harmful than WannaCry, because rather than spreading only via a weakness in Windows’ SMB, the NotPetya malware can also spread by finding passwords on the infected computer to move from system to system. It extracts passwords from memory and local filesystem. Once inside a corporate network, it works its way from computer to computer, destroying the infected machines’ filesystems.
There has yet to be a solid explanation on the attackers’ motive and what they were after. Researching the attack, NATO said it was likely launched by a state actor or by a non-state actor with support and approval from a nation state since the operation was extremely complex and likely very expensive. The Russian government has been suspected as a possible origin for NotPetya. The latest rumors suggested that it spread by accident by a Ukrainian tax software company, named MeDoc.
NotPetya is continually evolving and more information is exposed every day. As one of the more significant organized attacks in 2017, it should bring awareness to the fact that many are unprotected. Even though large-scale attacks like this are not new, they are important to watch because each time around they are getting stronger and more sophisticated.
It will be fun keeping an eye on more of these trends as they pop up. The next one I’ll dive into is the recent disclosures of public cloud leaks from organizations using the popular AWS services!
By Kory Buckley
Enjoy your read? Read our other blog content here.