Threat Management, Threat Intelligence, Malware, Ransomware

Cash, confusion or cyber-warfare: what really motivated NotPetya attack?

There's a lot we do know about the 'Petya' global ransomware attack, not least that it's NotPetya, the latter being the currently accepted moniker, although at least one vendor (Bitdefender) insists on calling it GoldenEye.

So far, so confusing.

We also know that Ukraine seems to be the original, and worst hit, target of the attack. Not that this stopped the infection from quickly spreading to Poland, France, Germany, Spain, the UK, the Netherlands, India, Israel, Australia and finally the USA.

Thankfully, it would appear that we also know how to stop it before it can infect your machines. According to researchers at Positive Technologies simply adding a file in the C:Windows folder will prevent NotPetya from overwriting the Master Boot Record. This is more of a machine vaccination than a distribution killswitch as was used successfully to halt the progress of WannaCry.

NotPetya also shares another similarity, other than for garnering mainstream media interest, with WannaCry: it propagates thanks largely to the NSA 'EternalBlue' exploit, designed to take advantage of the Microsoft SMBv1 vulnerability.

So that's what we know. What we don't know is why the attack was launched in the first place. WannaCry is a great example of how such a global ransomware worm becomes very hard to monetise successfully. Even with the use of crypto-currency accounts, it's almost impossible to cash out the paid ransoms without leaving a trail for global law enforcement to follow. The risk of capture, and the likely length of custodial sentences given the impact of the crime, far outweighs the cash attraction. Which is why nobody tried to get their hands on the money.

Whoever was responsible for NotPetya must also be aware of this simple fact. Setting a low ransom ($300) and scatter gunning the globe is not an intelligent criminal plan. Far better to aim high and target carefully for less risk and higher reward. So if not the cash, what was the motivation behind NotPetya?

According to FortiGuard Labs researchers, the attack could be "a test for delivering future attacks targeted at newly disclosed vulnerabilities". Unfortunately, nobody from the labs, or Fortinet itself, was available to provide any support for this theory. So naturally we asked the wider security industry instead.

Brace for impact

Mike Ahmadi, global director of critical systems security at Synopsys, thinks FortiGuard Labs have probably got it right. "It is indeed quite likely that this was an attempt to prove for the viability of future attacks," Ahmadi told us. "Given the literally thousands of known vulnerabilities that we have discovered in critical infrastructure, I suggest the world brace themselves for a veritable avalanche of attacks.”

Ian Thornton-Trump, head of security at ZoneFox, warns that "until the perpetrators are found, arrested and interrogated we will know very little about this attack as to its motivations". That said, he told SC Media that what he thinks we are seeing is a "massive demonstration of capability, using the guise of cyber-criminal attacks to advance the art of cyber-warfare".

Hatem Naguib, general manager of Security at Barracuda, agrees that "although it is difficult to know for certain the exact motivations behind the attack, if we look at the outcome, they do not seem financial". Which, taking the technical aspects of the threat into account, suggests "the motives for Petya would be to create an opportunity to assessing how to develop a better cyber attack or causing disruption and gaining notoriety".

David Kennerley, director of threat research at Webroot, concludes that "While the offering appears to be pretty well written from a technical standpoint, the ransom collection process was not so clever. This leads many to believe that the main focus of this ransomware was to cause as much damage and havoc as possible under the guise of ransomware."

The damage argument is one put forward by Stu Sjouwerman, CEO at KnowBe4, who thinks it was "open cyber-warfare" aimed at "trying to shut down a large part of the Ukrainian economy". Everything else, Sjouwerman insists, was collateral damage.

The economic damage argument is also put forward by Kevin Magee, cyber-security strategist at Gigamon, who told us, "NotPetya is targeting developer code such as Python scripts and Visual Basic, as well as things like PowerPoint, VMware images and Excel spreadsheets. Furthermore, the fact that the initial delivery method was by means of a compromised accounting software update slam dunks it for me that the purpose of NotPetya was to cause economic damage, not collect ransoms."

Joseph Carson, chief security scientist at Thycotic, likes to put himself in the shoes of the attacker and told SC, "In the world of hacking, the most intelligent way to get away with a crime is distraction while the real crime happens elsewhere..."

As for what that crime might be, Carson is convinced that "the real money is being made via currency manipulation on a large scale with bitcoin being the financial motive". Talking further with Carlson, the thinking behind this appears to be that, by suddenly increasing the number of bitcoin wallets, you can manipulate the value, and as if to prove his point, bitcoin saw an increased valuation of nearly 10 percent across the 48 hours following NotPetya.

We will leave the last word with Graeme Park, a senior consultant at Mason Advisory and former 'cyber expert' with the British Army. Park confided with SC that the motivation has all the hallmarks of being geopolitical, especially the timing which coincides with the anniversary of Ukraine's adoption of a constitution after splitting from the Soviet Union.

The ransomware angle is likely down to Russian "state based use of sub-state actors and criminal groups in order for the state to distance itself from the attack".

What Park is convinced of is that it wasn't a test run, or reconnaissance-in-force in military parlance, for anything. "The second global ransomware attack within a month means that organisations (especially CNI) will be investing in defences," Park explains.

“The attack leveraged high-end exploits stolen from the NSA, and without access to additional exploits an attacker using this as a test run is likely to have just warned his target. Yes, defences and procedures have been understood, but without follow-up with a second high-end vulnerability there is now time to focus on defensive principles and impart lessons..."

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.