NotPetya does not make sense, except it does

- 6 mins

NotPetya, a rapidly spreading malware that wipes the infected computer systems, made it to the news big time in 27th June. Now as the dust has settled down, and there is more details available, I’ll write down my thoughts about the case.

There are probably hundreds of articles, blog posts and opinions about this ransomware / malware / cyber attack / intel op or whatever. Some generic bullshit, some with excellent points. This is going to be excellent bullshit with generic points.

How it works

NotPetya is an automatically spreading malware that looks like ransomware which it really is not. It seems that the spread began from a Ukrainian accounting software MeDoc. To my understanding, MeDoc was hacked initially and used as a root-source of infection. The malware crippled a lot of services in Ukraine.

From the victim’s point of view, NotPetya acts exactly like ransomware. It overwrites the master boot record (MBR) and after rebooting the computer, a typical ransom message is displayed with an email address and a bitcoin account where to pay the ransom. However, it is not a real ransomware for following reasons:

Details about the malware

There’s a good overview by F-Secure’s Andy Patel. He is skeptical about “nation-state attacker” -theory, but the article points out some interesting details about the software itself.

According to F-Secure, the spreading mechanism of the malware is very sophisticated and well tested, utilizing EternalBlue and EternalRomance from ShadowBrokers leak in April 2017. There are other infection vectors as well.

Other interesting points:

Analysis

The whole thing is somewhat paradoxic. There are sophisticated and carefully tested parts, that are not implemented by a group of script kiddies. At same time, there are hastily built ad-hoc components that do not seem nation-state stuff but a group of script kiddies.

Then again, the target looks like it was carefully chosen. As if the attack was planned and targeted against Ukrainian infrastructure. Given the current political situation in Ukraine, this isn’t necessarily a coincidence.

Hence, appearing as ransomware might be a cover for a targeted cyber operation (or even larger intelligence operation) against Ukraine.

Nation-state level cyber attack against Ukraine

The question everything is interested but press is reluctanct to ask directly (at least in Finland): Was NotPetya a Russian-launched cyber operation against Ukraine?

I can’t say that, but there are a lot of non-technical details that indicate such possibility:

There are a lot of coincidences. But let’s not make too hasty judgements. Not all evidence support the theory, that NotPetya was Russia’s cyber operation against Ukraine::

Speculations

All these findings do not add up. Given that this Russia / Ukraine -theory is true, the attackers have run out of time, money or other resources. Less-important parts of the malware have been poorly implemented, or they’ve done nothing more than the necessary things in order to gain deniability.

Moreover, according to F-Secure, a timestamp detected in malware sample indicates that at least some components are written on February 2017. Interesting thing: a dump of NSA vulns that were used to spread NotPetya, was leaked in April 2017 (Shadow Brokers leak).

This leaves us following scenarios (at least one of these must be true):

Sum up

This is a weird case, details are inconsistent and contradictory. If I had to bet on what’s this all about, I’d put my money on a targeted attack, with intention to cause harm, maybe even send a message to Ukraine.

We don’t know what have been going on before 27th June. How long since the MeDoc was initially hacked? How much data had been exfiltrated (if any)? Was the ransom/wiper attack jut a nice little fireworks show after a successful operation? Definitely an effective way to destroy evidence.

Jussi-Pekka Erkkilä

Jussi-Pekka Erkkilä