July 6, 2017
Hacking a Country
By Kimberly Zenz
On June 27, this attack, nicknamed “Petya” after a cybercriminal operation using similar code, spread quickly across the world like the first malware attack, and even used the same software vulnerability, but from there the operations differ.
In May, ransomware called WannaCry spread to 150 countries in a day, encrypting victims’ files and demanding payment in return for access. WannaCry was able to spread despite relying on a well-known software vulnerability for which a fix was already available, a situation that prompted many to call WannaCry a wake-up call and hopefully a lesson learned.
However, Petya had additional means of infection, and, much worse, Petya does not encrypt files, but rather it irretrievably destroys them. What is more, the means of paying Petya’s ransom was impractical at best and quickly became impossible after the public e-mail service used to confirm payment predictably closed the account. In short, Petya was only masquerading as ransomware; its real function was to destroy victim computers’ data.
Petya victims are in sixty-four countries and range from major ports to global law firms, but the attack had a specific target: Ukraine.
The attack began in Ukraine, where victims include government offices, Kyiv’s main airport, banks, and power companies. Ukraine’s Council of Ministers reported their computers were frozen, ATMs in Kyiv could not dispense cash, and workers at the Chernobyl nuclear power plant had to shift to manual operation.
Victims were infected through M.E. Doc, a popular tax accounting software in Ukraine, through a compromised Ukrainian regional site and, in some cases, may have been deliberately infected in advance. The timing may also be deliberate—June 28 is Constitution Day, a national holiday that celebrates Ukrainian independence from the Soviet Union.
Ever since relations with Russia deteriorated in 2014, Ukraine has suffered a series of online attacks targeting the government, business, infrastructure, and media, among other sectors. They even caused two blackouts, including one that used the first software designed to attack industrial control systems since Stuxnet sabotaged Iran’s uranium enrichment facility at Natanz in 2010. These attacks are believed to have originated in Russia and began when tensions escalated between Russia and Ukraine in 2014. Circumstantial evidence links Petya to Russia as well.
It would have been possible for the attackers behind Petya to restrict infections only to victims using a Ukrainian IP address, but they did not. The attackers could also have prevented infections of machines using Russian IP addresses, but they did not. This may have been a deliberate decision to allow Petya to spread globally in order to support the pretense that this was indeed a ransomware effort. Supporting that narrative could muddy attribution efforts and convince global observers that the attack may have been the work of a criminal gang instead of a nation state.
If this is indeed the case, then it displays a cavalier willingness to accept global collateral damage even within Russia itself, where Rosneft, the country’s largest oil company, was among the victims. Whatever the reason, the damage caused reached a global scale.
To many in the West, Ukraine may seem very far away, and what happens there may not seem very important. However, a sovereign country was significantly hampered in its ability to operate, and key businesses and services were sabotaged worldwide by an attacker willing to cause millions of dollars of collateral damage across the globe. This attack is very much everyone’s business.
Unfortunately, responding to such attacks is difficult. There is no proven attacker, and the established political responses are too often too weak or too extreme. They are also too slow. As Petya and WannaCry show, attackers already have the ability to cause real damage using relatively predictable and preventable means of infection.
Petya did so by building upon the lessons of WannaCry, and future attackers will build on the lessons of Petya. Such attacks serve as learning experiences for the next attacker, be it Russia or North Korea or actual criminals seeking to make quick millions of dollars. They also serve as a threat to those attackers’ potential targets.
Much ink has already been expended talking about the need for better protections, in particular: better efforts to keep systems up to date, better information sharing and mutual support, better adoption of technical protections such as white lists and firewalls, better security awareness, and incorporation of IT security at the highest levels of decision-making.
Unfortunately, such measures, difficult as they may be, remain the best way to protect against such attacks.
Efforts to share expertise and effort such as the US-based Cyber Threat Alliance and the German Cyber Cybersecurity Organization are a step in the right direction, but they remain efforts largely within the IT security community. There is no need to warn of future damage to encourage a better approach to security. The catastrophic attacks are already here. The question remains how well we will defend ourselves against the next one.
Kimberly Zenz researches international cyber threat intelligence for the Deutsche Cyber-Sicherheitsorganisation (DCSO). She is also a nonresident senior fellow at the Atlantic Council’s Cyber Statecraft Initiative.