The attack was initiated utilising a corrupted update for an accounting and tax software that was almost exclusively used throughout every organisation, private and public, in the country. The malware employed the same SMB exploit that WannaCry leveraged to propagate inside networks, which was effective as many organisations still had yet to apply the patch that was released in early 2017. Even organisations that had applied the patch to this Microsoft vulnerability were susceptible to infection from the NotPetya malware because it also employed a credential harvesting tool called “Mimikatz” which automates the collection of credentials on Windows systems. This allowed the malware to spread within networks even if the “Eternal Blue” SMB exploit was fixed. Because of the dual propagation technique, the malware could infect organisations external to Ukraine that had an office or branch in the country.
The malware encrypted every machine on an infected network, and although the malware was disguised as ransomware since it encrypted 65 specific types of files on a machine, it ultimately was designed to act as a wiper and prevented users from being able to retrieve their files back even if they paid the ransom. Security researchers later deemed that the malware’s wiping functionality was the actual intention of the threat actors. Over 70% of victims originated within Ukraine and the attack occurred on the eve of their Independence Day following the fall of the Soviet Union. This prompted many researchers to believe that Russian state-sponsored threat actors were most likely the perpetrators behind these attacks because of the use of the Ukrainian accounting software as the initial attack vector, the specific targeting of Ukraine, and the fact it preceded their independence day.
The report included in this blog, will also discuss the consequences of the NotPetya attack for organisations, which were quite severe for many commercial and governmental entities. This attack highlighted repercussions that can have rebounding impacts on secondary and tertiary victims that were not the primary target due to failures from third-party vendors and general organisational policies. Some of the key lessons discussed in this white paper include: swiftly applying security patches, especially when a recent incident exploited those easily-fixed vulnerabilities, the necessity for third-party vendors to protect the signature and certificate of legitimacy of their code and software products that organisations use, improved awareness of current cyber threat trends and pre-existing mitigations, and following the 3-2-1 rule when storing and backing up data.
The goal of this report is to call attention to the pre-existing security weaknesses businesses and organisations have to help inform the development of new policies and procedures to mitigate these for improved resilience towards cyber threats. Threats are constantly evolving and adapting quicker than organisations are able to mitigate them, meaning it is crucial to continually develop proactive policies as well as ensure pre-existing vulnerabilities are abated.
Kailyn joined the Intelligence Acquisition Team at Anomali, as a Security Analyst, in May 2018. She conducts research and analysis on cyber security threats/threat actors from a geopolitical and social sciences perspective. Her efforts to better the threat intelligence platform helps customers gain greater context and implications of past/present/future cyber threats. Kailyn studied Forensic Anthropology, Criminology, and Psychology at the University of Montana in the United States and recently completed a Master’s of Science in International Security, Intelligence, and Strategic Studies from the University of Glasgow and a Master’s of Arts in International Security Studies from Charles University in Prague.