NotPetya, a rapidly spreading malware that wipes the infected computer systems, made it to the news big time in 27th June. Now as the dust has settled down, and there is more details available, I’ll write down my thoughts about the case.
There are probably hundreds of articles, blog posts and opinions about this ransomware / malware / cyber attack / intel op or whatever. Some generic bullshit, some with excellent points. This is going to be excellent bullshit with generic points.
How it works
NotPetya is an automatically spreading malware that looks like ransomware which it really is not. It seems that the spread began from a Ukrainian accounting software MeDoc. To my understanding, MeDoc was hacked initially and used as a root-source of infection. The malware crippled a lot of services in Ukraine.
From the victim’s point of view, NotPetya acts exactly like ransomware. It overwrites the master boot record (MBR) and after rebooting the computer, a typical ransom message is displayed with an email address and a bitcoin account where to pay the ransom. However, it is not a real ransomware for following reasons:
- It doesn’t really work; “decryption code” that should be sent to the email address, is actually random. There’s no ways to get files back. If you want to make money, you don’t do this kind of a mistake.
- Poor payment pipeline; single email address (which was taken down by ISP) and a single bitcoin wallet. If you want to make money, you should make these steps more robust.
Details about the malware
There’s a good overview by F-Secure’s Andy Patel. He is skeptical about “nation-state attacker” -theory, but the article points out some interesting details about the software itself.
According to F-Secure, the spreading mechanism of the malware is very sophisticated and well tested, utilizing EternalBlue and EternalRomance from ShadowBrokers leak in April 2017. There are other infection vectors as well.
Petya uses the NSA Eternalblue exploit but also spreads in internal networks with WMIC and PSEXEC. That’s why patched systems can get hit.
Source: @mikko via Twitter
Other interesting points:
- Two other components are… “shoddy and seem kinda cobbled together”
- None kind of command & control.
- In addition to MBR, also “user-space encryption” available, which is a fallback option if the malware is unable to gain admin privileges.
- User-space encryption seems to be legit and decryption could be actually possible(!)
- According to a timestamp found from the sample, the network propagation component was probably on development as early as February 2017 (two months prior the ShadowBrokers leak …)
The whole thing is somewhat paradoxic. There are sophisticated and carefully tested parts, that are not implemented by a group of script kiddies. At same time, there are hastily built ad-hoc components that do not seem nation-state stuff but a group of script kiddies.
Then again, the target looks like it was carefully chosen. As if the attack was planned and targeted against Ukrainian infrastructure. Given the current political situation in Ukraine, this isn’t necessarily a coincidence.
Hence, appearing as ransomware might be a cover for a targeted cyber operation (or even larger intelligence operation) against Ukraine.
Nation-state level cyber attack against Ukraine
The question everything is interested but press is reluctanct to ask directly (at least in Finland): Was NotPetya a Russian-launched cyber operation against Ukraine?
I can’t say that, but there are a lot of non-technical details that indicate such possibility:
- Sophisticated, well-implemented and well-tested components in the malware. Building such malware takes a lot of time and money, and requires competent people: the attacker has resources.
- Poor payment procedure (and non-functional decryption); the attacker had no intention to make money but to disrupt systems.
- Targeting. Initial target was MeDoc which was hacked beforehand in order to launch the attack. Since MeDoc is very widely used in Ukraine, it is very likely that the attack was specifically targeted against services and businesses operating in Ukraine.
- Rosneft infection. Rosneft reported to be infected by the malware but suffered nothing. That is, they had not patched 4-month-old critical vulns, and meanwhile they had the best-ever DR / IR team to keep things running without downtime?
- Moreover, if they were infected but nothing was really affected, why they made it public? For me, this seems a false confession and / or intentional misdirection.
- Ukrainian intel officer was murdered in Kyiv on the very same day as NotPetya was launched.
There are a lot of coincidences. But let’s not make too hasty judgements. Not all evidence support the theory, that NotPetya was Russia’s cyber operation against Ukraine::
- Why to implement a working user-space encryption as a fallback option, if the malware is designed to be just a wiper destroying systems?
- As mentioned earlier, all components are not as well-written and sophisticated as the spreading mechanism. Maybe “cyberweapon developers” have deadlines too?
- If you’re willing to use ransomware as a cover for other purposes, then why not to make real ransomware that actually works? Your cover would be much more convincing.
- Why to blow up the whole thing, and not to use pwn’d computers for i.e. espionage instead?
All these findings do not add up. Given that this Russia / Ukraine -theory is true, the attackers have run out of time, money or other resources. Less-important parts of the malware have been poorly implemented, or they’ve done nothing more than the necessary things in order to gain deniability.
Moreover, according to F-Secure, a timestamp detected in malware sample indicates that at least some components are written on February 2017. Interesting thing: a dump of NSA vulns that were used to spread NotPetya, was leaked in April 2017 (Shadow Brokers leak).
This leaves us following scenarios (at least one of these must be true):
- NotPetya authors added a “fake timestamp” to the malware on purpose, maybe just to cause confusion (or the clock just happened to be wrong ;-)
- Writing of NotPetya was started as early as in February, NSA vulns were bundled in to the malware afterwards, once they were discovered.
- NotPetya authors actually had NSA vulns before they were leaked in April, which would imply a link to the ShadowBrokers.
This is a weird case, details are inconsistent and contradictory. If I had to bet on what’s this all about, I’d put my money on a targeted attack, with intention to cause harm, maybe even send a message to Ukraine.
We don’t know what have been going on before 27th June. How long since the MeDoc was initially hacked? How much data had been exfiltrated (if any)? Was the ransom/wiper attack jut a nice little fireworks show after a successful operation? Definitely an effective way to destroy evidence.