Motive & Effect: Implications of the NotPetya Attack
The news has been everywhere in business circles, the halls of parliament, and even cafes. NotPetya, the ransomware that marked a significant evolution in cyber weapon development nearly put the global economy to a halt. This dangerous ransomware was the latest in cyber weapons after WannaCry. The intent was even more malicious, rather than extortion which is what ransomware was named for, NotPetya was developed for pure sabotage. NATO researcher Lauri Lindström, has said of NotPetya
“…it seems likely that the more sophisticated and expensive NotPetya campaign is a declaration of power – demonstration of the acquired disruptive capability and readiness to use it.”
It has been the intent of NotPetya that has led researchers to the conclusion that attack was from a state actor. Before discussing the global effects and political implications of NotPetya, it is important.
NotPetya is in a class of its own when it comes to cyber weapons, it is not the common type of ransomware. NotPetya has a host of features that make it extremely dangerous. Some of these features include a modified version of the EternalBlue exploit, total system encryption, local network spread, and it deletes a system’s master boot record. So in effect NotPetya makes very critical files unrecoverable.
Delivery and Installation
NotPetya is not an executable file (.exe) like previous ransomware. Instead it is a .dll file which needs to be executed by another program. In the case of NotPetya, it was executed by MeDoc’s update software. When MeDoc’s updater executed its standard process, it activated NotPetya, which then installed on other machines. MeDoc was infected from credential theft and was then used as a host for subsequent effects thanks to a number of vulnerabilities in MeDoc’s systems.
NotPetya infects the entire internal network and can easily bring down a company’s entire operation. This was made possible because the developers of NotPetya stole an exploit code developed by the US National Security Agency (NSA). This exploit takes advantage of vulnerabilities in Microsoft’s EternalBlue and EternalRomance.
Motive and Global Effect
As stated above, early on NATO researchers came to the conclusion that NotPetya was the responsibility of a state actor, mainly due to the amateurish ransom collection method. It was speculated that the ransom was a diversion tactic or hype tactic to spread awareness of the attack. NotPetya also only spreads on local networks after the initial infection, supporting the idea that this was intended to be a targeted attack. Additionally, NotPetya had a built-in killswitch which has indicated to NATO researchers that the attack was meant to be controlled and targeted. There was suggestion that the attack was intended to be a show of force, similar to how states display power to one another.
The idea of a state actor being behind the attack was quickly being supported by cyber security experts until recently. Allegedly, the authors of NotPetya have released a statement on pastebin demanding ~$250,000 (100 Bitcoins) in exchange for the decryption keys. Many were skeptical at first, but the message had a unique fingerprint that was associated with the NotPetya ransomware. Rather than merely speculating on the authenticity of the post, Joseph Cox and Lorenzo Franceschi-Bicchierai of Vice Motherboard contacted the authors of the pastebin post and asked for proof they were the author.
In response, the author quickly decrypted a file provided by Vice Motherboard. Demonstrating they had access to the source code. Anton Cherepanov, Malware Researcher at ESET, has stated:
“They have key, so must be same people.”
With the ransom demand and ability to decrypt the file, the theory put forward initially by cyber security experts is challenged.
Another suggestion was the idea of currency manipulation. Since the hackers use Bitcoin there is an interesting dynamic they can use to manipulate the price of the value of the digital currency. However this theory is quickly debunked when looking at the price of bitcoin overtime from shortly before the attack and after. There was a fluctuation, but it does not seem inconsistent with the common fluctuations in price.
Political Implications and Revelations
In the wake of the NotPetya attack, many are questioning NotPetya’s used exploits developed by the U.S. National Security Agency (NSA). The primary question is concerned with the use of cyber weapon development by states. The private sector including Microsoft has declared the NAS to be the source of the vulnerabilities exploited by NotPetya and WannaCry. Experts have been critical of the NSA’s ability to keep its cyber weapons secure. The larger dynamic that seems to be happening is with every data breach in the NSA, the cyber arms race accelerates faster between states.
NotPetya has also demonstrated the disruption it can cause on a global level. For companies that were affected it put their global operations to a grinding halt including Fedex and shipping giant Maersk. Governments around the world now recognize their own vulnerability to attacks that can bring down a country. Whether or not the attacker is a small group or state, the capability is in anyone’s hands. The global economy can be brought to a standstill in a matter of seconds. How do you anticipate the world will react to this new frontier of cyber warfare?