Petya: Cyber Warfare Deception
The following article originally appeared in the August 2017 edition of Gulf Insider online magazine.
“All warfare is based upon deception.”
– Sun Tzu, The Art of War
Petya versus NotPetya
Petya, the global cyberattack launched weeks after the WannaCry ransomware, appeared at first as a new variant of the original 2016 ransomware of the same name. However, security researchers soon identified significant differences prompting security firm Kaspersky to rename the malware “NotPetya.” Suspected motivations for the attack shifted from ransomware’s traditional financial gain to politically motivated destruction, thus initiating Petya cyber warfare.
About the NotPetya Cyberattack
Ukrainian companies suffered the brunt of the attack with disruptions reported in banking, energy, and transportation industries. Radiation monitoring equipment at the Chernobyl nuclear facility in Ukraine was hit as well. The attack infected numerous international companies spanning 64 countries. Shipping giant Maersk and subsidiary APM Terminals with container operations in seventeen ports were reportedly impacted. APM Terminals Bahrain announced services at Khalifa Bin Salman Port were “operating close to normal” within days of the outbreak.
Microsoft confirmed instances of the malware originated from a software update initiated by the legitimate tax preparation program, M.E.Doc. It only takes one compromised computer to infect an entire network. NotPetya leverages credential theft and two allegedly stolen NSA hacking tools to spread. The malware’s payload overwrites the Windows bootloader, encrypts files while restarting the computer, then displays a typical ransomware note demanding payment.
However, infected companies were unable to regain their encrypted data as the email address provided by the attackers was shutdown within hours of the attack. Ransom payment was later proven to be useless as NotPetya is unable to decrypt data due to the manner in which it was coded. Antivirus provider Eset posted the M.E.Doc update was first pushed to users six weeks before the attack. M.E.Doc is considered the standard application used by companies conducting business with Ukraine. The attack was unleashed on eve of the Ukrainian holiday Constitution Day fueling speculation of political motivations behind the attack.
Cybersecurity Deception Tactic
The lack of ransom collection capability falls well short of the level of sophistication and military precision orchestrated in this attack. NotPetya demonstrated deception by masquerading as ransomware in what appears to be a singularly purposed malware engineered for destruction. In direct response to NotPetya, NATO announced cyber warfare attacks can invoke the collective defense Article 5 of the North Atlantic Treaty which states an attack on one member of NATO is considered an attack on all. NATO then extended cyber defense support to Ukraine raising suspicion of a possible state-sponsored attack.
About Gulf Insider
Gulf Insider is a new online news platform for people in Saudi Arabia, UAE, Bahrain, Kuwait, Qatar, and Oman.
About Ryan Ernst
Ryan Ernst is an enterprise consultant for Sword & Shield Enterprise Security stationed in the Kingdom of Bahrain. Ryan specializes in information security and compliance for companies located in the Arabian Gulf area.
Sword & Shield specializes in security, risk and compliance assessment, managed security services, enterprise security consulting, security incident response and forensics, and technical solutions.