NotPetya is widely known as one of the most devastating variants of malware in history. The impact of it was felt particularly in Ukraine, but its area of effect was global. The success of this cyber attack was significantly due to the release of a 0-day exploit called EternalBlue. In this case, it was a 0-day vulnerability in Windows systems. The patch was released to mitigate this in early 2017. However, unpatched Windows systems were in extreme danger of exploitation from it. The creators used EternalBlue in conjunction with a familiar hacking tool called Mimikatz, an open-sourced post-exploitation tool used to gather login credentials of targeted systems. EternalRomance was another flaw exploited by NotPetya. The combination of EternalBlue, EternalRomance, and Mimikatz allowed for the widespread distribution of NotPetya, which behaves similarly to Petya.
On June 27, 2017, a small computer security company called Linkos Group became the first hit. The attacker pushed the malware via a malicious update of M.E.Doc software. It is software used for small business tax and accounting needs. NotPetya appeared to behave like ransomware; it encrypts the entirety of the target system and demands the victim pay ransom to regain access files. However, it damages system data beyond the point of decryption. NotPetya investigations revealed that its creators were not financially motivated. It was wiperware and would not decrypt data of paid ransoms. Even more devastating was its capability to self propagate. The malicious M.E.Doc update was pushed to its users, but NotPetya used several other tactics, techniques, and procedures to infect as many machines as possible. EternalBlue and EternalRomance exploited server message block (SMB) vulnerabilities in Windows machines, allowing remote code execution on its targets. Credentials throughout affected networks were gathered and used to give NotPetya worm-like capabilities.
In a matter of hours, NotPetya took down more than 300 companies. While most of the systems affected were in Ukraine, they weren’t the only ones. It spread extremely fast, reached 65 countries, and caused an estimated total of $10 billion in damages (Greenberg, 2020). One of the world’s largest container shipping companies, Maersk, was brought to a halt causing delays worldwide. It suffered a loss of almost 300 million, and it took several weeks for business operations to return to normalcy. It took down 22 banks, six power companies, two airports, four hospitals, and several government agencies in Ukraine. An extreme example was ATMs across Kyiv stopped working, and people couldn’t withdraw because card machines were down.
Could NotPetya have been Prevented?
The EternalBlue exploit was used by malware variants before NotPetya and Microsoft released patches in March 2017. The following month, an online hacking group called The Shadow Brokers leaked it. Before it, they were known for revealing several confidential tools and software from the NSA.
While there was some time for system administrators to update their systems, NotPetya was different from other malware because of its ability to propagate and use other means to compromise systems and gather credentials. A patch of EternalBlue would have made it more difficult for NotPetya to be effective. Stil, Advanced Persistent Threats (APTs) most likely would have figured out other methods to compromise systems and execute their malware. If nation-state-sponsored actors had the goal of devastating Ukraine with malware through a cyber attack, they would do it with or without a 0-day vulnerability. EternalBlue made it easy for them to carry out such an attack.
What did we learn from NotPetya?
Ukraine was the main target of this cyber attack. The threat actors behind NotPetya chose June 27 because it was the day before Constitution Day in Ukraine. They knew fewer people would be monitoring systems, and many employees would be on vacation. The attack was attributed to Russian actors. A history of disputes with Ukraine combined with superior capabilities in cyberspace allowed Russia to overwhelm and devastate its unprepared adversary. It triggered a physical reaction from Ukrainian law enforcement. On July 4, 2017, Ukrainian police conducted a raid on the software development firm believed to have launched the original malware.
The unintended result of NotPetya was its global impact. This variant of malware sparked a nationwide panic across Ukraine and was capable of bringing down entire companies’ IT infrastructure in a matter of minutes. This incident revealed how damaging a cyber attack can be in a short amount of time. In the Fall of 2020, the US charged six hackers from Russia’s main intelligence branch with an extensive list of international cybercrimes, including this cyberattack. Advanced persistent threats take advantage of exploit leaks and released malware by altering the source code to make them more devastating. In this case, the modified Petya becomes wiperware. Despite the patch being released before NotPetya, other tools were added in conjunction with EternalBlue to increase its effectiveness. Therefore, malware is being adjusted to become more advanced in its potential for impact.
A few other instances reveal how cyberattacks can have extreme consequences on heavily relied upon infrastructure. Targeted ransomware would increase along with user identifying technology; however, NotPetya was unique because it did not use phishing or spear-phishing as a means for initial compromise. Future cyberattacks put more value on 0-day exploits, especially in widely used operating systems such as Windows.
Severe consequences from a cyberattack were recently felt with the ransomware attack on Colonial Pipeline. In this instance, ransomware shut down a massive oil pipeline running across much of the Eastern US. The shutdown caused panic buying of gasoline, delays in air travel, and slightly higher fuel prices. The danger with this type of compromise is the capability for direct impact on physical infrastructure. The attack could have affected natural gas pipelines.
Changes in policy and compliance can slow down cyber attacks and make relied upon infrastructure more secure. However, cybersecurity legislation continually trails behind the most recent exploit or malware variant. NotPetya revealed how vulnerable critical infrastructure is from advanced threat actors. Yet, a significant domestic impact seems to be the only instance in which policymakers take substantial measures in mitigation.
Greenberg, A. (2020). Sandworm Knopf Doubleday Publishing Group.
Loeb, L. (2017). NotPetya operators installed three backdoors on the M.E.doc software server before activating malware. Retrieved from https://securityintelligence.com/news/notpetya-operators-installed-three-backdoors-on-m-e-doc-software-server-before-activating-malware