NotPetya: Understanding the Destructiveness of Cyberattacks

The Russian aggression against Ukraine has reopened the discussion about cyberattacks and the use that states make of them during conflicts. Moreover, analysing the case of the cyberattack NotPetya of 2017 helps to contextualise the current events. The harmful acts affecting cyberspace are numerous and constantly growing; however, there are specific cases that manage to provide landmarks for the study. The NotPetya cyberattack is one such case, as it can be described as a turning point. This article will analyse the cyberattack, including its consequences and repercussions.

NotPetya Unleashed: A Cybersecurity Catastrophe 

The NotPetya attack, launched on the 27th of June 2017, was devastating and harmful. It was a state-sponsored cyberattack which targeted systems to infect them and destroy data in Ukraine but quickly spread globally, affecting numerous organisations. The malware exploited the vulnerabilities of the computer systems of multiple companies and government agencies to destroy data and stop their operations. It is one of the most advanced cyber-attacks ever made, as it blocks the infected computer and destroys the user’s data. The malware exploited the vulnerabilities of the computer systems of numerous companies and government agencies to destroy data and stop their operations.

It started in the afternoon, the day before the holiday for the Ukrainian Constitution. [1] This decision not only had a symbolic significance but was also a strategic decision; before national holidays, many workers were already on leave, among them also IT operators who were responsible for the system’s functionality.

Several sectors and infrastructure were affected. Starting with the Ukrainian government, the operations of key government agencies were disrupted by the attack, mainly through a loss of key and critical data and a temporary but destructive paralysis of government functions. Moreover, banks, financial institutions, and the energy and utilities sector were among the primary targets. In addition, even the health sector was targeted as the data of some patients were compromised.

Although Ukraine was the first state to get hit, the repercussions of the attacker’s actions were also felt in other states, including the United States, Great Britain, and Germany. That happened because the malicious software was able to spread quickly across computer networks outside the Ukrainian state. [2] Nonetheless, it must be stressed that Ukraine was the primary target of the attack.

The responsibility for the cyberattack was attributed to a group of Russian hackers known as the SandWorm team, recognised as one of the military units of the Russian intelligence service GRU. Therefore, the action has been attributed to the Russian state. [3] It was not the first time this group of hackers was accused of a cyberattack against Ukraine. In fact, in 2015, suspicions rose that the Ukrainian electricity grid had malfunctioned because of them. [4] Moreover, the study of the previous attacks carried out by the group led the scholars to conclude that the SandWorm team had also attacked in 2017, as they recognized the use of particular coding techniques typical of the team.

FBI wanted poster listing six Russian military intelligence officers indicted for various cyber crimes, including the NotPetya malware. (Source: Wikimedia Commons)

The Infection Mechanism

The attack started mainly from the servers of M.E.Doc, a widespread program in Ukraine for managing tax payments and tax returns. [1] However, it was documented that a phishing campaign could have been an intrusion vector, too. The malicious software spread by exploiting several Windows operating system’s vulnerabilities. It showed a request for an update approval on the computers attacked. If accepted, it launched a damaging payload, encrypting files and causing the infected system to be non-functional. The malicious software infected the computer’s master boot record and the hard disk; however, before making the computer unusable, it always tried to spread to other computers. [5] With the attack on the server, hackers could steal users‘ passwords to make the advance easier.

After users noticed the system failure, it seemed they could recover the data through a Bitcoin payment. However, even after making the payment, recovering the inaccessible data and repairing the computers was impossible. [5] As it became apparent, it was hopeless due to the main goal of the cyberattack, which was to cause destruction, not to gain finances. Especially in Ukraine, the demand for money to retrieve data was used as a distraction.

Consequently, it is more appropriate to speak of NotPetya as a wiper and not ransomware since the latter tends to have only monetary gain as its primary purpose. [6] Because of that, the malicious software used in the attack was named “NotPetya” to stress the difference from the Petya family despite their similarities. To begin with, Petya is generally recognized as another type of malicious software. However, this ransomware’s primary purpose is not the destruction of data. Several times, the data owners were able to restore the operation of the computer and recover it through payment in cryptocurrencies. For this, it succeeded as an attack on financial grounds. Unlike Notpeya, attributing culprits is challenging, as the attack is attributed to a diverse set of hacker groups.

Screenshot of the splash screen of the payload of the original version of Petya. (Source: Wikimedia Commons)

Stopping the Cyberattack

Considering the scope and magnitude of the attack and how it targeted thousands of organizations and individuals globally, putting an end to it was not straightforward. Since many states were affected, the search for an answer was carried out by multiple groups. The idea was to try to find a way to contain the spread of the malicious software. As the first step, the need to isolate infected computers was understood as crucial to prevent the spread of the malware. [1] NotPetya behaved like a worm, and limiting its interactions was the most apparent solution to block the spread. Moreover, employees of possible wiper targets were informed of the threat and told to be more careful and vigilant. In addition, it became evident that the malicious software looked for the presence of ‚perfc‘ or ‚perfc.dat‘ files before attacking another computer. The reason was these files allowed us to identify whether the computer had been compromised or not. As a result, creating them was sufficient to deter the wiper. [2]

The NotPetya attack, due to its scope and destructiveness, triggered a new cooperation in finding the culprits on the international level. In February 2018, the United States, the United Kingdom, Denmark, Lithuania, Estonia, Canada, and Australia met to agree on a joint response with the support of New Zealand, Finland, Norway, Latvia, and Sweden [1]. The collaboration between these states was crucial to identify the group responsible for the cyberattack. The affected states shared as much information as possible about the wiper to quickly find the culprit.

The attack highlighted the need to work together to send a message to states that intend to use cyberspace as a new conflict space. For this reason, various countries, mainly the United States, have decided to take the path of sanctions against Russia since 2018. [1] Especially in the case of NotPetya, sanctions were functional to restrict Russia’s access to the international market to contain its possibility to gain even more competence in cyberspace. More specifically, the sanctions successfully limited Russia’s access to technological resources and the possibility of sharing information and collaborating with other nations.

NotPetya in the Context of the Ukraine-Russia Conflict

Despite the states‘ reactions affected by the attack and the techniques used to deter the use of malicious software or wipers in the future, Russia has not ceased its subversive activities. The Russian hackers are working alongside the army to weaken the technological resilience of the Ukrainian armed forces through sophisticated techniques that compromise the stability of the operating systems used for the state’s internal security. Despite attempts to refine Ukraine’s national cybersecurity, cyberattacks are part of a campaign that is too massive and difficult to block. [7]

In 2022, the hacker members of the group „Sandworm“ attempted to destroy the computers of a Ukrainian energy company using a wiper similar to NotPetya, so-called Industroyer2, an attack specifically created to destroy the systems [MD6], erase data or make them unusable. [8] The Industroyer2 is considered the most potent and worrying cyberattack since the beginning of the aggression against Ukraine. According to the highest Ukrainian charges, the attack had been foiled before it produced a total blackout. However, the Russian hackers still attempted to hit the Ukrainian power company again. The attack aimed to turn off Ukrainian computers in charge of network control. [8]

Armed conflicts between the two states’ armies have also weakened Ukraine’s ability to respond quickly and effectively to cyberattacks. However, this is just one example of a series of attacks that have hit the government and financial systems of the Ukrainian state. Despite the large number of attacks, for now, it does not seem that their effectiveness is high enough to impact the stability of the Ukrainian state heavily. [9] This apparent not as effective action may be caused by the fact that cyber attacks have not proved yet to be sufficient by themselves. Instead, they are used alongside the conventional conflict.

Conclusion

The NotPetya cyberattack has proved to be a decisive warning in the evolution of threats brought by the digital age: six years later, the impacts continue to be felt. The effect of NotPetya was felt worldwide, with more than 60 countries affected, causing widespread disruption and financial losses. It was one of the warning signs suggesting what Russia is capable of. Although the Russian attacks, undoubtedly being prepared for some time, have a structured and evolved approach aimed at the constant „bombardment“ of the enemy cyber-space, they have not particularly affected the ability of Ukraine to resist the invasion.


Article reviewed by Michaela Doležalová and Kristýna Drmotová.

Sources

[1] Krasznay C., (2020) Case Study: The NotPetya Campaign, https://www.researchgate.net/publication/353072644_Case_Study_The_NotPetya_Campaign

[2] Lika, R. A., Murugiah, D., Brohi, S. N., & Ramasamy, D. (2018, July 1). NotPetya: Cyber Attack Prevention through Awareness via Gamification. IEEE Xplore. https://doi.org/10.1109/ICSCEE.2018.8538431

[3] Bendiek, A., & Schulze, M. (2021). Attribution: A major challenge for EU cyber sanctions. An analysis of WannaCry, NotPetya, Cloud Hopper, Bundestag Hack and the attack on the OPCW. Www.econstor.eu. http://hdl.handle.net/10419/253242

[4] Sandworm Team and the Ukrainian Power Authority Attacks. (n.d.). Mandiant.https://www.mandiant.com/resources/blog/ukraine-and-sandworm-team

[5] How the NotPetya attack is reshaping cyber insurance. (n.d.). Brookings. https://www.brookings.edu/articles/how-the-notpetya-attack-is-reshaping-cyber-insurance/

[6] Redazione. (2022, June 28). 5 anni dopo NotPetya: cos’hanno imparato i CISO? DigitalWorld Italia. https://www.digitalworlditalia.it/sicurezza/malware-vulnerabilita/notpetya-cosa-hanno-imparato-i-ciso-148315 

[7] Mueller, G. B., Jensen, B., Valeriano, B., Maness, R. C., & Macias, J. M. (2023). Cyber Operations during the Russo-Ukrainian War. CSIS. https://www.csis.org/analysis/cyber-operations-during-russo-ukrainian-war

[8] Willett, M. (2022). The Cyber Dimension of the Russia–Ukraine War. Survival, 64(5), 7–26. https://doi.org/10.1080/00396338.2022.2126193

[9] Schulze, M. (2022). Cyber-Operationen im Kontext des Russland-Ukraine-Krieges 2022. Ukraine-Analysen, 267, 2–7. https://doi.org/10.31205/ua.267.01

[10] Mansfield-Devine, S. (2017). Ransomware: the most popular form of attack. Computer Fraud & Security, 2017(10), 15–20. https://doi.org/10.1016/S1361-3723(17)30092-1 

[11] Merchant, Z. (2022, March 5). NotPetya: the cyberattack that shook the world. The Economic Times. https://economictimes.indiatimes.com/tech/newsletters/ettech-unwrapped/notpetya-the-cyberattack-that-shook-the-world/articleshow/89997076.cms?from=mdr

[12] National Cyber Security Centre. (2018, February 14). Russian military “almost certainly” responsible for destructive 2017 cyber attack. NCSC. https://www.ncsc.gov.uk/news/russian-military-almost-certainly-responsible-destructive-2017-cyber-attack

[13] Schulze, M., Kerttunen, M. (2023). Cyber Operations in Russia’s War against Ukraine, Uses, limitations, and lessons learned so far. Stiftung Wissenschaft und Politik. https://www.swp-berlin.org/10.18449/2023C23/ 

[14] Trautman, L. J., & Ormerod, P. (2018). Wannacry, Ransomware, and the Emerging Threat to Corporations. SSRN Electronic Journal. https://doi.org/10.2139/ssrn.3238293

[15] Wan K.S. (2020, November 1). NotPetya, Not Warfare: Rethinking the Insurance War Exclusion in the Context of International Cyberattack. Washington Law Review https://digitalcommons.law.uw.edu/cgi/viewcontent.cgi?article=5135&context=wlr

[16] What Is Petya and NotPetya Ransomware? | Trellix. (n.d.). Trellix. Retrieved October 30, 2023, from https://www.trellix.com/security-awareness/ransomware/petya/

[17] Wolff J. (2021, December 1). How the NotPetya attack is reshaping cyber insurance, Brookings. https://policycommons.net/artifacts/4142432/how-the-notpetya-attack-is-reshaping-cyber-insurance/4951171/

[18] Wolff J. CYBERWAR BY ALMOST ANY DEFINITION”1: NOTPETYA, THE EVOLUTION OF INSURANCE WAR EXCLUSIONS, AND THEIR APPLICATION TO CYBERATTACKS https://cilj.law.uconn.edu/wp-content/uploads/sites/2520/2022/02/Cyberwar-By-Almost-Any-Definition-Wolff-CILJ-Vol.-28.1.pdf

Štítky:

Napsat komentář

Vaše e-mailová adresa nebude zveřejněna. Vyžadované informace jsou označeny *