sb-eu logo
Story image

A system wiper with no recourse: Researchers discover what NotPetya attack was really after

05 Jul 2017

As the dust settles on the NotPetya attacks that flooded various parts of the world last week, security researchers have put the pieces together about what its true purpose was.

It is now being called a 'wiper', or a specific malware that erases all trace of data on systems. NotPetya went one step further by corrupting the Master Boot Record - a critical part of any system's boot process.

ESET senior research fellow Nick FitzGerald says that it was most likely a state-sponsored attack through malware - not unlike a recent spate of attacks against Ukrainian targets.

He believes that Diskcoder.C was initially attached to the tax accounting software MeDoc. In addition, further distribution through a watering-hole attack on a compromised Ukrainian news site also may have spread the malware.

In addition, NotPetya featured three other distinct tells that this may have been a targeted attack:

"Its LAN-only spreading mechanisms could be expected to largely contain its spread to the victims’ networks only. Diskcoder.C was made to appear to be a ransomware campaign although it is really a simple “disk killer”. Disk killers masquerading as ransomware have been used against Ukrainian targets before. And the coordination of both attacks in the previous examples would require considerable luck or the backing of substantial resources,” FitzGerald comments.

Digital Shadows' Rick Holland agrees. He believes it was likely a targeted attack.

"While the malware’s functionality has reportedly made it highly effective at propagating to machines within a local network, it has been reported as having no function for spreading outside of these local networks. It was therefore assessed as likely to be much more effective for conducting targeted attacks than WannaCry."

He specifically mentions that the ransom payment method wasn't about giving attackers revenue through ransom demands. Victim ID numbers were randomly generated, rather than derived from the encryption key. As a result, even if the victim had paid ransom and made contact, there would be no way for the attackers to provide the right decryption key.

With monetary gain as a motivation out the picture, the most likely motivation left for NotPeyta’s behavior is destructive malicious intent. Nation state actors conduct malicious cyber-attacks to fulfill geostrategic objectives. With this in mind, NotPeyta does demonstrate an advanced understanding of how to mount a wide spread hard hitting cyber-attack, and to capitalize on this attack with maximum media exposure," he says.

With regards to why, Holland believes that geopolitical context and target geography made Ukraine and Europe a ripe target.

"The initial attack occurred during the Ukrainian holiday celebrating independence from Russia. If one subscribes to the theory that Russian state or affiliated actors are responsible, this had the tactical effect of delaying a coherent response from Ukrainian defenders and strategically punishing Ukraine for its independence from Russia. Although these facts are interesting - and they do suggest that the malware was actively aimed at the Ukrainian economy - they are circumstantial and do not conclusively link the incident to any particular nation state. Attribution is and will continue to be a challenge," he says.

What's to come? Holland believes that the NotPetya campaign demonstrates that organisations need to prepare for all attacks, even ones that aren't specifically targeting their own organisations. With attack tools easier to come by, threat actors are getting more access to powerful tools.

Read more about NotPetya as it unfolded here.

Story image
Zero trust is the way to secure the distributed workforce - Empired
Existing security solutions need to evolve to accommodate the new remote workforce.More
Story image
Misinformation on the rise, organisations consider how best to respond
The increase in misinformation and fake domains have left organisations perceiving the threat level to be ‘very significant’, with a third planning greater emphasis on their ability to respond in coming months.More
Story image
Ripple20 threat has potential for 'vast exploitation', ExtraHop researchers find
One in three IT environments are vulnerable to a cyber threat known as Ripple20. This is according to a new report from ExtraHop, a cloud-native network detection and response solutions provider. More
Story image
Check Point acquires Odo Security to bolster remote security offering
The deal will integrate Odo’s remote access software with Check Point’s Inifinity architecture, bolstering the latter company’s remote security capabilities in a time where working and learning from home has become the norm, and looks to largely remain that way in the near future.More
Story image
Bitglass receives US patent for SAML technology
Bitglass designed its SAML relay to allow a cloud access security broker (CASB) to be inserted into the traffic flow between users and cloud services during the login process.More
Story image
Research: 61% of companies have suffered an insider attack in last 12 months
It comes as rapid migration to cloud and remote working and BYOD scenarios leave organisations increasingly vulnerable to insider attacks as a result of the upheaval caused by the COVID-19 pandemic.More