sb-nz logo
Story image

A system wiper with no recourse: Researchers discover what NotPetya attack was really after

05 Jul 2017

As the dust settles on the NotPetya attacks that flooded various parts of the world last week, security researchers have put the pieces together about what its true purpose was.

It is now being called a 'wiper', or a specific malware that erases all trace of data on systems. NotPetya went one step further by corrupting the Master Boot Record - a critical part of any system's boot process.

ESET senior research fellow Nick FitzGerald says that it was most likely a state-sponsored attack through malware - not unlike a recent spate of attacks against Ukrainian targets.

He believes that Diskcoder.C was initially attached to the tax accounting software MeDoc. In addition, further distribution through a watering-hole attack on a compromised Ukrainian news site also may have spread the malware.

In addition, NotPetya featured three other distinct tells that this may have been a targeted attack:

"Its LAN-only spreading mechanisms could be expected to largely contain its spread to the victims’ networks only. Diskcoder.C was made to appear to be a ransomware campaign although it is really a simple “disk killer”. Disk killers masquerading as ransomware have been used against Ukrainian targets before. And the coordination of both attacks in the previous examples would require considerable luck or the backing of substantial resources,” FitzGerald comments.

Digital Shadows' Rick Holland agrees. He believes it was likely a targeted attack.

"While the malware’s functionality has reportedly made it highly effective at propagating to machines within a local network, it has been reported as having no function for spreading outside of these local networks. It was therefore assessed as likely to be much more effective for conducting targeted attacks than WannaCry."

He specifically mentions that the ransom payment method wasn't about giving attackers revenue through ransom demands. Victim ID numbers were randomly generated, rather than derived from the encryption key. As a result, even if the victim had paid ransom and made contact, there would be no way for the attackers to provide the right decryption key.

With monetary gain as a motivation out the picture, the most likely motivation left for NotPeyta’s behavior is destructive malicious intent. Nation state actors conduct malicious cyber-attacks to fulfill geostrategic objectives. With this in mind, NotPeyta does demonstrate an advanced understanding of how to mount a wide spread hard hitting cyber-attack, and to capitalize on this attack with maximum media exposure," he says.

With regards to why, Holland believes that geopolitical context and target geography made Ukraine and Europe a ripe target.

"The initial attack occurred during the Ukrainian holiday celebrating independence from Russia. If one subscribes to the theory that Russian state or affiliated actors are responsible, this had the tactical effect of delaying a coherent response from Ukrainian defenders and strategically punishing Ukraine for its independence from Russia. Although these facts are interesting - and they do suggest that the malware was actively aimed at the Ukrainian economy - they are circumstantial and do not conclusively link the incident to any particular nation state. Attribution is and will continue to be a challenge," he says.

What's to come? Holland believes that the NotPetya campaign demonstrates that organisations need to prepare for all attacks, even ones that aren't specifically targeting their own organisations. With attack tools easier to come by, threat actors are getting more access to powerful tools.

Read more about NotPetya as it unfolded here.

Story image
How a vantage point sees threats before they impact
When the focus has been on adversaries that develop increasingly complex and sophisticated attacks, tried and true techniques such as compromised credentials continue to be amongst the most potent weapons.More
Story image
DDoS attacks surge, becoming more sophisticated
After doubling from Q1 to Q2, the total number of network layer attacks observed in Q3 doubled again — resulting in a 4x increase in number compared to the pre-COVID levels in the first quarter. More
Story image
Data leakage concerns dominate cloud security perceptions - Bitglass report
How secure is the public cloud? That’s what many IT and security professionals are asking as data leakage becomes a pressing concern for organisations and their data protection strategies.More
Story image
Spark's CCL signs multimillion-dollar object storage deal with Cloudian
“With public cloud soaring and the expected local entry of CCL’s strategic partner, Microsoft, in the next few years, NZ’s ICT future is certain to be hybrid."More
Story image
Forrester names Thycotic a Leader in privileged access management
Thycotic received the highest possible score in 11 of the 24 criteria in the study, including SaaS/cloud, innovation roadmap, and integrations, deployment, supporting products and services, commercial model, and PIM installed base.More
Story image
Check Point a Leader in Firewall Magic Quadrant for 21st Time
It is the 21st time in the company’s history that Check Point has been named a Leader in Gartner’s Magic Quadrant for Enterprise Network Firewalls.More