4 July 2017

RUSSIAN HAND IN THIS WEEK’S CYBER PANDEMIC? PETYA RANSOMWARE MAY BE LINKED TO RUSSIA


WHEN A RANSOMWARE outbreak exploded from Ukraineacross Europe yesterday, disrupting companies, government agencies, and critical infrastructure, it at first appeared to be just another profit-focused cybercriminal scheme—albeit a particularly vicious and damaging one. But its origins in Ukraine raised deeper questions. After all, shadowy hackers have waged a cyberwar there for years, likely at Russia’s bidding.

As more details come to light, Ukrainian cybersecurity firms and government agencies argue that the hackers behind the ransomware called Petya (also known as NotPetya or Nyetya) are no mere thieves. Rather, they pin the attacks on political operatives seeking to disrupt Ukrainian institutions yet again, using a massive ransom scheme to hide their true motive. And some Western cybersecurity analysts tracking the Petya plague have come to the same conclusion.

Targeted Approach

On Tuesday morning, Ukrainian media was the first to widely report the Petya infections, as it hit targets including Ukrainian banks, Kiev’s Borispol airport, and energy firms Kyivenergo and Ukrenergo.

Plenty of others fell victim to Petya as well. It struck the Danish shipping firm Maersk, the Russian oil company Rosneft, and even the American pharmaceutical giant Merck. But Ukrainian cybersecurity analysts view Ukraine as the primary target, and the Petya outbreak as just another strike in their ongoing cyberwar with organized and relentless hackers that the Ukrainian government has publicly linked to Russian state actors. “I think this was directed at us,” says Roman Boyarchuk, the head of the Center for Cyber Protection within Ukraine’s State Service for Special Communications and Information Protection. “This is definitely not criminal. It is more likely state-sponsored.”

As for whether that state sponsor was Russia, “It’s difficult to imagine anyone else would want to do this,” Boyarchuk says.

Boyarchuk points to the timing of the attack, just before Ukraine’s Constitution Day, which celebrates the country’s post-Soviet independence. Ukraine also suffered a targeted act of physical violence on Tuesday, when a car bomb assassinated a special forces official in Kiev.

More technical clues support that theory, some Ukrainian security researchers say. Kiev-based Information Systems Security Partners, which has acted as a first responder for several recent waves of cyberattacks on Ukrainian companies and government agencies, says it has found evidence that sophisticated hackers quietly infiltrated the networks of at least some Ukrainian targets two to three months before they triggered the ransomware that paralyzed those organizations.

“According to the obtained intermediate data of our analysis, our analysts concluded that the destructive effects in the infrastructures of the organizations studied were carried out with the help of [ransomware], but also with direct involvement of intruders who already had some time in the infrastructure,” writes ISSP forensic analyst Oleksii Yasinsky in an email to WIRED. ISSP declined to provide more details about the evidence of those prolonged intrusions, but argues that the attackers’ techniques match the “handwriting” of previous attacks from 2015 and 2016 that Ukrainian president Petro Poroshenko has called acts of “cyberwar,” waged by Russia’s intelligence and military services. Yasinsky declined to name the exact Petya victims whose networks had shown those fingerprints, but he notes that they include one major Ukrainian bank and a critical infrastructure company.

ISSP says it also found that Petya doesn’t act solely as ransomware. Rather than just encrypting infected hard drives and demanding $300 in bitcoin for the decryption key, in some cases it simply wiped machines on the same network, deleting a victim computer’s deep-seated master boot record, which tells it how to load its operating system. Other researchers at Comae Technologies and Kaspersky noted Wednesday that the ransomware’s encryption appears to be irreversible, even if a victim pays the ransom. 1

Yasinsky argues that this behavior indicates the attackers weren’t, in fact, trying to extort payments from those victims but instead wanted to cause maximum disruption. The hackers also could have been attempting a “cleanup” of previous operations, Yasinsky speculates, preventing investigators from learning the full extent of their intrusions by deleting data wholesale from target networks.

Wiping the master boot record of victim machines and planting fake, irreversible ransomware are also a calling card of a group of attackers, known to the cybersecurity industry as Sandworm, which has plagued Ukraine for years. Starting in October 2015 and continuing through the end of last year, the group struck targets across Ukraine’s media, transportation infrastructure, and government ministries, and twice caused blackouts by attacking Ukrainian electric facilities. According to ISSP and the security firm FireEye, those attackers used multiple variants of a piece of malware called KillDisk to destroy data, and in late 2016 also started using malware that encrypted data and appeared to be profit-seeking ransomware.

According to FireEye’s analysis, in at least one of those ransomware cases in December 2016 the malware had no means to produce a decryption key, and instead permanently encrypted files, just as in the Petya case. And years earlier, FireEye had tied those same attackers to Russia, based in part on analysis of an openly accessible command and control server it used that contained Russian-language documents explaining how to use a piece of malware it had planted on target computers. 1

Uncommon Criminals

The theory that Petya targeted Ukraine specifically remains far from confirmed. And it doesn’t fully explain why the malware would have spread so far beyond Ukraine’s borders, including hitting Russian targets.

But Ukrainians aren’t the only ones leaning toward the hypothesis that Petya originated as a state-sponsored, Ukraine-focused disruption campaign rather than a moneymaking venture. Symantec’s data shows that, as of Tuesday morning US time, more than 60 percent of infections they saw were in Ukraine, implying that the attack likely began there. And cybersecurity analysts on Tuesday found that, in many cases, Petya infected victims by hijacking the update mechanism of a piece of Ukrainian accounting software called MeDoc. Companies filing taxes or engaged in financial dealings with Ukraine widely use MeDoc, says Cisco’s Talos research team lead Craig Williams, which could in part explain the ransomware’s reach beyond Ukraine’s borders.

That tactic also signals that Petya “has a very clear idea who it wants to affect, and it’s businesses associated with the Ukrainian government,” Williams says. “It’s very obvious this is a political statement.”

In addition to MeDoc software, Ukrainian police have also noted that phishing emails helped spread Petya, which would imply careful targeting of the ransomware based on victims’ languages rather than a randomly spreading worm. But other cybersecurity analysts have been unable to corroborate those claims.

‘It’s very obvious this is a political statement.’ —Craig Williams, Cisco Talos

Though the attackers’ motives remain murky, many in the cybersecurity community are coming to the consensus that they weren’t ordinary criminals. Aside from the MeDoc update trick, Petya also spreads within networks using a variety of automated tools that exploited obscure Microsoft protocols like Windows Management Instrumentation, PSExec, and Server Message Block, all hallmarks of sophistication. But meanwhile, the perpetrators showed surprising disregard for the money-making part of a ransomware scheme. They used a hardcoded bitcoin address that’s far easier to track, and an email address for communicating with victims that was taken down by its host within 12 hours of the attack’s launch. Partly as a result, the new Petya variant has earned a piddling $10,000.

That mismatch suggests an ulterior motive, says Nick Weaver, a computer security researcher at Berkeley’s International Computer Science Institute. “This looks like a malicious payload designed to make systems unusable disguised as ransomware,” Weaver says. “Either they just screwed up on the ransomware side inexplicably, or the real goal was to disrupt machines, launched in a way that’s very biased against Ukraine.”

All of that provides another hint, as bizarre as it may seem, that the damage to companies from the US to Spain and even Russia may have been collateral. Hackers may instead have been continuing a long-running assault against Ukraine. But this time, the rest of the world feels their pain too.

1 Updated 6/29/2017 10:00am with more details on how Petya permanently encrypts data, and more details linking its creators to the hacker group known as Sandworm.

No comments: