NotPetya does not make sense, except it does

5 minute read
July 12, 2017

NotPetya, a rapidly spreading malware that wipes the infected computer systems, made it to the news big time in 27th June. Now as the dust has settled down, and there is more details available, I’ll write down my thoughts about the case.

There are probably hundreds of articles, blog posts and opinions about this ransomware / malware / cyber attack / intel op or whatever. Some generic bullshit, some with excellent points. This is going to be excellent bullshit with generic points.

How it works

NotPetya is an automatically spreading malware that looks like ransomware which it isn’t really. It seems that spread began from Ukrainian accounting software MeDoc. To my understanding, MeDoc was hacked initially and used as a root-source of infection. The malware crippled a lot of services in Ukraine [NYT]

From the victim’s point of view, NotPetya acts exactly like ransomware. It overwrites the master boot record (MBR) and after rebooting the computer, a typical ransom message is displayed with an email address and a bitcoin account where to pay ransoms. However, it is not a real ransomware for following reasons:

  • It doesn’t really work; “decryption code” that should be sent to the email address, is actually random. There’s no ways to get files back. If you want to make money, you don’t do this kind of mistake.
  • Poor payment pipeline; single email address (which was taken down by ISP) and a single bitcoin wallet. If you want to make money, you should make these steps more robust.

Details about the malware

There’s a good overview by F-Secure’s Andy Patel. He is skeptical about “nation-state attacker” -theory, but the article points out some interesting details about the software itself.

According to F-Secure, the spreading mechanism of the malware is very sophisticated and well tested, utilizing EternalBlue and EternalRomance from ShadowBrokers leak in April 2017. There are other infection vectors as well.

Other interesting points:

  • Two other components are… “shoddy and seem kinda cobbled together”
  • None kind of command & control.
  • In addition to MBR, also “user-space encryption” available, which is a fallback option if the malware can’t elevate itself to admin.
  • User-space encryption seems to be legit and decryption could be actually possible(!)
  • According to a timestamp found from sample, the network propagation component was probably on development as early as February 2017 (two months prior the ShadowBrokers leak …)

Analysis

The whole thing is somewhat paradoxic. There are sophisticated and carefully tested parts, that are not implemented by a group of script kiddies. At same time, there are hastily built ad-hoc components that do not seem nation-state stuff but a group of script kiddies.

Then again, the target looks like it was carefully chosen. As if the attack was planned and targeted against Ukrainian infrastructure. Given the current political situation in Ukraine, this isn’t necessarily a coincidence.

Hence, appearing as ransomware might be a cover for a targeted cyber operation (or even larger intelligence operation) against Ukraine.

Nation-state level cyber attack against Ukraine

The question everything is interested but press is reluctanct to ask directly (at least in Finland): Was NotPetya a Russian-launched cyber operation against Ukraine?

I can’t say that, but there are a lot of non-technical details that indicate such possibility:

  • Sophisticated, well-implemented and well-tested components in the malware. Building such malware costs time and money and requires competent people: the attacker has resources.
  • Poor payment procedure (and non-functional decryption); the attacker had no intention to make money but to disrupt systems.
  • Targeting. Initial target was MeDoc which was hacked beforehand to in order to launch the attack. Since MeDoc is very widely used in Ukraine, it is very likely that the attack was specifically targeted against services and businesses operating in Ukraine.
  • Rosneft infection. Rosneft reported to be infected by the malware but suffered nothing. That is, they had 4 months old non-patched critical vulns, but the best-ever DR team to keep things running without downtime? Moreover, if they were infected but nothing was really affected, why they made it public? For me, this seems a false confession and/or intentional misdirection.
  • Ukrainian intel officer was murdered in Kiev on the very same day as NotPetya was launched.

There are a lot of coincidences. But let’s not make too hasty judgements. There is also evidence that doesn’t not support this theory:

  • Why to implement a working user-space encryption as a fallback option, if the malware is designed to be just a wiper destroying systems?
  • As mentioned earlier, all components are not as well-written and sophisticated as the spreading mechanism. Maybe “cyberweapon developers” have deadlines too?
  • If you’re willing to use ransomware as a cover for other purposes, then why not to make real ransomware that actually works? Your cover would be much more convincing.
  • Why to blow up the whole thing, and not to use pwn’d computers for i.e. espionage instead?

Speculations

All these findings do not add up. Given that this Russia/Ukraine -theory is true, the attackers have run out of time, money or other resources. Less-important parts of the malware have been poorly implemented, or they’ve done nothing more than the necessary things in order to gain deniability.

Moreover, according to F-Secure, a timestamp detected in malware sample indicates that at least some components are written on February 2017. Interesting thing: dump of NSA vulns that were used for spreading the malware, was published in April 2017.

This leaves us following scenarios (at least one of these must be true):

  • NotPetya authors added a “fake timestamp” to the malware on purpose, maybe just to cause confusion (or the clock just happened to be wrong ;-)
  • Writing of NotPetya was started as early as in February, NSA vulns were bundled in to the malware afterwards, once they were discovered.
  • NotPetya authors actually had NSA vulns before they were leaked in April, which would imply a link to the ShadowBrokers.

Sum up

This is a weird case, details are inconsistent and contradictory. If I had to bet on what’s this all about, I’d put my money on a targeted attack, with intention to cause harm, maybe even send a message to Ukraine.

We don’t know what have been going on before 27th June. How long since the MeDoc was initially hacked? How much data had been exfiltrated (if any)? Was the ransom/wiper attack jut a nice little fireworks show after a successful operation? Definitely an effective way to destroy evidence.

Leave a Comment