Lightning Strikes Twice

Feature Article

A string of disruptive cyberattacks across the world suggests there are more on the way

In March 2016, the menacing Petya was discovered and has been causing havoc ever since. Its latest disruption took centre stage in June 2017, as several organisations across the globe were affected by this piece of malware. The attack was particularly troublesome in Ukraine, where the attack is believed to have originated, as it managed to disable operations at the Chernobyl nuclear facility. A screen appeared on infected computers demanding $300 in cryptocurrency to release compromised files.

According to several experts, this malware appears similar to WannaCry, a computer virus which affected many in Europe, including the NHS in the UK. Petya exploited the same software vulnerability, yet was not quite the same kind of attack as WannaCry since the computers infected with the Petya virus had its files deleted after being encrypted. Thus, paying the ransom would not have unlocked the locked files. It was, therefore, a “destroy and damage” sort of cyber attack, according to Matt Suiche from Camaeio, a security company.

It nevertheless confirms a growing trend of dangerous attacks via ransomware, with the number of such incidents increasing by 50% in 2016 (read more). Even more worryingly, both Petya and WannaCry expose a troubling future for cyberspace and all those who rely on it. With every attack which takes place, the internet becomes an increasingly pernicious and unpredictable place, and it does not seem like it will be getting better any time soon.

Same Difference

At the time of its outbreak, Kaspersky, a security company, dubbed the virus NotPeyta due to its differences from the previous versions discovered around a year before. FireEye, another security firm, claimed that this latest form of the virus was able to spread by exploiting a previously identified vulnerability during the WannaCry attack. This exploit, known as the EternalBlue exploit, was a vulnerability exposed in the operating system of Microsoft computers. It was originally found and used by the US National Security Agency. Microsoft has criticised the NSA for “stockpiling” vulnerabilities in its software, according to The Financial Times, which has now materialised into a major and damaging cyber attack.

Many sources have suggested that the malware was released via from a poisoned version of the MeDoc software suite, a tax accounting software. Although there were some who believed that the virus was released by a malicious email sent out in a phishing campaign, analysis by IT company Avecto showed that the virus was in fact released from the MeDoc software update. Once on the computer, the virus seeks to obtain the administrative rights to access important credentials. Once in the system, the virus then overwrites the operating system to initiate a reboot of the machine. It then displays an imitated reboot screen showing that the hard disk is being repaired when the files located on the disk were actually being encrypted.

The malware also spread to other machines on the network using stolen credentials as well as the EternalBlue exploit. The virus also looked for computers which the infected machine had recently interacted and infiltrate those systems too. Unlike WannaCry however, the virus did not look for random IP addresses and thus only spread across computers across the local network it infected, limiting its global reach. This explains why Ukraine was hit particularly hard. Even Anton Gerashchenko, an aide to the Interior Ministry, called the cyber attack “the biggest in Ukraine’s history.”

Who and Why?

Further analysis of this malware suggested that this was not a typical ransomware attack where the attackers were looking for significant gain, financial or otherwise. This is suggested by the fact that the files which were encrypted were actually deleted, meaning paying the ransom would not have triggered the release of the files. Furthermore, the payment methods set up appeared quite careless; only one email was provided as a way of contact with the supposed attackers and only a single bitcoin wallet was used. The email account was deactivated, and although the bitcoin wallet was still active it is likely that law enforcement would have been keeping a close eye on it.

This suggests that the attacker’s aim was more about disruption than actually trying to gain something. One plausible theory suggests that this was more politically motivated. Around 80% of Ukrainian businesses used the tax accounting software at the time of the attack, according to analysis by Cisco, a security company. It was also confirmed by Symantec, another security company, that most of the victims of the virus were Ukrainian organisations. There is also the timing of the attack; it began on June 27th, a day before Ukraine’s Constitution Day, which is a national holiday.

As such, some have pointed fingers at Russia, including, Ukraine’s national security chief Oleksandr Turchynov who claimed that the cyber attack had a “Russian footprint.” Ukrainian politicians have also made similar accusations. However, considering that Russian companies such as Rosneft and Evraz, an oil company, were also affected, it is not entirely clear who the attacker was, despite their motives appearing not all that equivocal. In addition, and as often the case, law enforcement will have a tough time tracking down the culprits, as admitted by John Carlin, former assistant attorney general at the US Department of Justice.

Yet, whoever the attackers were and whatever their motives may have been, both the NotPeyta and the WannaCry viruses are signals of the inevitable future of mass cyber attacks. Just like NotPeyta was a creature of WannaCry, malware can be made adaptable, making the same kind of exploits and vulnerabilities a constant danger. The problems are also exacerbated when companies fail to update their software. After the WannaCry attack, Microsoft released the appropriate patches, including for its unsupported XP operating system. Simple steps such as updating software and using the latest operating system’s can alleviate the majority of attacks. But even so, hackers are becoming more sophisticated with their own tools and methods. Due to the lack of embedded security of the internet and the machines which use it, it is the attackers that always seem one step ahead.


New Cyberattack Goes Global, Hits WPP, Rosneft, Maersk

The Petya Plague Exposes the Threat of Evil Software Updates

Petya outbreak: What’s the motive behind this major cyber attack?

Who is behind the latest cyber attack?

Why breaking encryption to combat terrorism carries risks

Little green malware: Another malware attack stalks the world’s computers

Petya Ransomware Spreading Via EternalBlue Exploit

NotPetya ransomware: Attack analysis

Next WannaCry Cyber Attack Could Cost Insurers $2.5 Billion