NotPetya: A Targeted Attack on Ukraine

Steven Bay
Former Contractor, National Security Agency

As the dust settles on last Tuesday’s NotPetya malware outbreak, it is increasingly evident that this was not a ransomware, money-making attack at all; rather it was a targeted, destructive cyberattack against Ukraine. It utilized deception in which it was designed to look like ransomware but wasn’t. It targeted obscure Ukrainian software – yet propagated extremely fast once inside a victimized network, and it did not have any particular intent aside from destroying or damaging victimized systems. 

It was not ransomware

Security researchers initially identified the malware as a new variant of the known Petya ransomware. Computer terminals and systems were having their data encrypted and messages popped up on victims’ screens announcing the compromise and providing instructions on how to get the data back. It evidently propagated itself from computer to computer via NSA’s stolen EternalBlue exploit, which was the same mechanism as the WannaCry attack in May. Victims appeared to be global without respect to who they were or what technology they employed. Many in the cybersecurity world simply thought, “here we go again, how is it that so many companies did not learn the lessons of WannaCry and patch their computer systems to protect themselves”?

However, as Tuesday wore on, the malware outbreak kept getting stranger. This attack was clearly not ransomware, and it was clearly not a globally launched, indiscriminate attack as WannaCry appeared to be. Something smelled fishy.

The malware and the attack itself was more advanced and more well-planned than WannaCry. It had many security researchers concluding that this outbreak would be exponentially worse. NotPetya did not have a “kill-switch” built into it that would prevent its fast spread, it propagated itself via three different methods to make it harder to stop and to infect systems that had patched against EternalBlue, and it appeared to possibly also spread via web exploit – also known “drive-by-download” or “watering hole” attack. However, the ransomware was functionally clunky and easily defeated. It did not fit alongside the rest of the attack. 

Paying the ransom and decrypting one’s files appeared to be pretty straightforward. The victim emailed their unique identifier to an instructed email address, paid the ransom, received the decryption key, and decrypted their files. However, a third-party email provider hosted the email address and very quickly disabled it. This made it impossible for victims to pay the ransom and get the decryption key. At this point one’s data was all but lost. There was no alternative fail-safe built in by the attackers for paying the ransom like there was for the malware’s propagation. 

The question many of us asked was essentially, “why would any attacker driven by the motivation to make money be so careless in the one functionality necessary to actually make the money?” Clearly this was a major red flag that something different was going on. 

Security researchers then looked at the file encryption functionality. Very similar to the known, existing Petya ransomware, it encrypted and over-wrote files on the Master Boot Record, essentially wiping the machine’s data clean, making it inoperable. However, while Petya’s overwrite was designed to be reversible once a decryption key (of sorts) was applied after paying the ransom, this malware was irreversible – acting more like disc-wiping malware. Once the data was lost there was no getting it back. The malware was destructive, and it was always intended to be.  

A Targeted Attack

One of the major differences between NotPetya and WannaCry was that the former did not use EternalBlue to propagate across the public internet; EternalBlue was not the initial attack vector. Rather, victims were primarily infected via a Ukrainian accounting software called MEDoc. 

MEDoc is relatively uncommon and obscure software. This is not the type of infection vector that would generally garner a wide-array of global victims and result in a huge payday for the hackers. No, the exploitation of MEDoc suggested the attackers were more interested specifically in those companies and organizations who were most likely to use it. MEDoc is widely used across Ukraine; ranging from the national government to local public sector to Ukrainian businesses. Beyond that, any company that does business and pays taxes in Ukraine must use MEDoc, so such an attack essentially punishes any entity fueling the Ukraine economy.

However, once a victim organization was breached, it spread throughout their network like a wildfire. It infected as many devices as it could and was indifferent to which organization a computer actually belonged to or where it was located. This explains why large multi-national companies, such as the Danish company Maersk – who operates one in seven shipping containers around the world – were victimized despite not being Ukrainian. While little to no information has come out from Maersk or other impacted companies about how or where they were initially compromised, it would not be the least bit surprising to learn that it started in either the Ukraine or Eastern Europe and spread through the company.

The fact is NotPetya was a deception campaign to look like indiscriminate ransomware but was actually a wiper malware targeting a specific and obscure software associated primarily with Ukraine, and yet propagated very fast on a victim’s local network. This suggests a targeted attack with specific victims in mind – even if there was collateral damage beyond the intended victims.

Who did it and why?

At this point, who carried out the attack is largely conjecture, but the first place to look is Russia. Since the outbreak, Ukrainian security researchers have pointed the finger at Russian hackers, but specific evidence is lacking. Nevertheless, there are interesting and compelling reasons to assume Russia.

First, Russia has essentially been at war with the Ukraine since it invaded and annexed Crimea in 2014. There has been constant contention between the two countries with troops amassed at the borders, minor to major skirmishes, et cetera.  Russia continues to attempt to meddle in Ukrainian politics and stir up ethnic Russians living in eastern Ukraine against the Ukrainian government in Kiev.

Perhaps coincidentally, on the same day as this NotPetya outbreak, a high-ranking Ukrainian intelligence officer was assassinated via a car bomb in Kiev. The officer, Colonel Maksim Shapoval, was actively engaged in the hostilities with Russia, even running a unit that had fought on the eastern front. The timing of the cyber attack coinciding with the assassination has led to rumination that the attacks were linked and purposely timed.

Second, while a few large Russian companies also reportedly were infected with the same malware last week, their operations seemed to be largely unaffected by the malware and business was able to resume as usual. Other victims, including the Ukrainian entities and Maersk, however, had much more of a negative impact. While it is quite possible that these Russian companies were simply more secure and their networks locked down, it is an eyebrow-raising circumstance.

Third, Russia has a history of hacking Ukraine, with security researchers suggesting that Ukraine is used as a test bed for disruptive cyber attacks. Russia has exploited Ukraine’s power grid, government ministries, media, and other entities over the last three years.  Interestingly, researchers noted that Russia hasn’t seemed to maximize the potential of past cyber aggressions; suggesting they may be saving the fire power of their cyber arsenal for contingencies targeting the United States or NATO. 

Finally, there is no other logical group or country with the motivation to destructively target Ukrainian interests. It would be one thing if the ransomware element of this attack were real. It would fit that cybercriminals would exploit whatever they could in order to make a lot of money. So why not go after low-hanging fruit once a vulnerability in a software has been discovered?  But the fact that the only apparent outcome of this attack is destroyed data that prevents normal business functions, the perpetrator had a reason to go after Ukraine. North Korea – who was allegedly behind WannaCry – is likely indifferent to Ukraine. China is similarly indifferent and is not known to use cyber for destructive purposes. Iran is much more focused on their region and the United States. Only Russia has vested interest in damaging and weakening Ukraine.

As stated by the cybersecurity researcher known as GrugQ, “This was a straight forward cyber attack with a target space of basically every company that does business in Ukraine.” It is difficult to argue that this was not a planned, targeted attack carried-out by actors who are hostile to Ukraine – namely, Russia.

The Author is Steven Bay

Steven Bay left Booz Allen Hamilton earlier this year after nine years with the management consulting firm.  He joined BAH in 2007 to work on a contract for the National Security Agency, and in 2011 was transferred to Hawaii to run its local NSA team.  Bay started his career in the Air Force as a Persian Farsi linguist.  He was stationed at Ft. Meade, Maryland where he translated Persian documents and later became a digital network intelligence analyst.  He has launched a cyber consulting... Read More

Learn more about The Cipher Brief's Network here.


Share your point of view

Your comment will be posted pending moderator approval. No ad hominem attacks will be posted. Your email address will not be published. Required fields are marked *