Editing NotPetya (2017)

Jump to navigation Jump to search

Warning: You are not logged in. Your IP address will be publicly visible if you make any edits. If you log in or create an account, your edits will be attributed to your username, along with other benefits.

The edit can be undone. Please check the comparison below to verify that this is what you want to do, and then save the changes below to finish undoing the edit.

Latest revision Your text
Line 1: Line 1:
 
{| class="wikitable"
 
{| class="wikitable"
! scope="row"|Date
+
|Date
 
|27-28 June 2017
 
|27-28 June 2017
 
|-
 
|-
! scope="row"|Suspected actor
+
|Suspected actor
 
|Russian Federation (official attribution statements made by Ukraine,<ref>P Polityuk, [https://www.reuters.com/article/us-cyber-attack-ukraine/ukraine-points-finger-at-russian-security-services-in-recent-cyber-attack-idUSKBN19M39P “Ukraine points finger at Russian security services in recent cyber attack”] (1 July 2017), ''Reuters''. </ref> US and UK<ref>S Marsh, [https://www.theguardian.com/technology/2018/feb/15/uk-blames-russia-notpetya-cyber-attack-ukraine “US joins UK in blaming Russia for NotPetya cyber-attack”] (15 February 2018), ''The Guardian''.</ref>)
 
|Russian Federation (official attribution statements made by Ukraine,<ref>P Polityuk, [https://www.reuters.com/article/us-cyber-attack-ukraine/ukraine-points-finger-at-russian-security-services-in-recent-cyber-attack-idUSKBN19M39P “Ukraine points finger at Russian security services in recent cyber attack”] (1 July 2017), ''Reuters''. </ref> US and UK<ref>S Marsh, [https://www.theguardian.com/technology/2018/feb/15/uk-blames-russia-notpetya-cyber-attack-ukraine “US joins UK in blaming Russia for NotPetya cyber-attack”] (15 February 2018), ''The Guardian''.</ref>)
 
|-
 
|-
! scope="row"|Victims
+
|Victims
 
|Ukrainian public and private sector (80% of affected systems);<ref>J Wakefield, [https://www.bbc.com/news/technology-40428967 “Tax software blamed for cyber-attack spread”] (28 June 2017), ''BBC News''.</ref> multinational companies (Maersk, Merck, FedEx, Saint-Gobain and others)
 
|Ukrainian public and private sector (80% of affected systems);<ref>J Wakefield, [https://www.bbc.com/news/technology-40428967 “Tax software blamed for cyber-attack spread”] (28 June 2017), ''BBC News''.</ref> multinational companies (Maersk, Merck, FedEx, Saint-Gobain and others)
 
|-
 
|-
! scope="row"|Target systems
+
|Target systems
 
|Microsoft Windows-based systems
 
|Microsoft Windows-based systems
 
|-
 
|-
! scope="row"|Method
+
|Method
 
|The NotPetya malware was spread by a centralised update to the MeDoc tax accounting software used by many Ukrainian businesses.<ref>J Wakefield, [https://www.bbc.com/news/technology-40428967 “Tax software blamed for cyber-attack spread”] (28 June 2017), ''BBC News''.</ref> The malware was using the EternalBlue exploit,<ref>K Sood and S Hurley, [https://www.crowdstrike.com/blog/petrwrap-ransomware-technical-analysis-triple-threat-file-encryption-mft-encryption-credential-theft/ “NotPetya Technical Analysis – A Triple Threat: File Encryption, MFT Encryption, Credential Theft”] (29 June 2017), CrowdStrike blog.</ref> possibly developed by the NSA, leaked by a hacker group calling itself the Shadow Brokers, and repurposed by the GRU.<ref>E Nakashima, [https://www.washingtonpost.com/world/national-security/russian-military-was-behind-notpetya-cyberattack-in-ukraine-cia-concludes/2018/01/12/048d8506-f7ca-11e7-b34a-b85626af34ef_story.html?noredirect=on&utm_term=.0a890ccf1c13 “Russian military was behind ‘NotPetya’ cyberattack in Ukraine, CIA concludes”] (12 January 2018), ''Washington Post''.</ref> It acted as a ransomware, encrypting the target computers’ hard drives and demanding ransom in bitcoin. It was only supposed to spread through internal networks, probably to make it more targeted; however, the transnational companies which had their offices in Ukraine had their internal networks infected globally.<ref>E Auchard, J Stubbs, and A Prentice, [https://www.reuters.com/article/us-cyber-attack/new-computer-virus-spreads-from-ukraine-to-disrupt-world-business-idUSKBN19I1TD “New computer virus spreads from Ukraine to disrupt world business”] (27 June 2017), ''Reuters''.</ref>
 
|The NotPetya malware was spread by a centralised update to the MeDoc tax accounting software used by many Ukrainian businesses.<ref>J Wakefield, [https://www.bbc.com/news/technology-40428967 “Tax software blamed for cyber-attack spread”] (28 June 2017), ''BBC News''.</ref> The malware was using the EternalBlue exploit,<ref>K Sood and S Hurley, [https://www.crowdstrike.com/blog/petrwrap-ransomware-technical-analysis-triple-threat-file-encryption-mft-encryption-credential-theft/ “NotPetya Technical Analysis – A Triple Threat: File Encryption, MFT Encryption, Credential Theft”] (29 June 2017), CrowdStrike blog.</ref> possibly developed by the NSA, leaked by a hacker group calling itself the Shadow Brokers, and repurposed by the GRU.<ref>E Nakashima, [https://www.washingtonpost.com/world/national-security/russian-military-was-behind-notpetya-cyberattack-in-ukraine-cia-concludes/2018/01/12/048d8506-f7ca-11e7-b34a-b85626af34ef_story.html?noredirect=on&utm_term=.0a890ccf1c13 “Russian military was behind ‘NotPetya’ cyberattack in Ukraine, CIA concludes”] (12 January 2018), ''Washington Post''.</ref> It acted as a ransomware, encrypting the target computers’ hard drives and demanding ransom in bitcoin. It was only supposed to spread through internal networks, probably to make it more targeted; however, the transnational companies which had their offices in Ukraine had their internal networks infected globally.<ref>E Auchard, J Stubbs, and A Prentice, [https://www.reuters.com/article/us-cyber-attack/new-computer-virus-spreads-from-ukraine-to-disrupt-world-business-idUSKBN19I1TD “New computer virus spreads from Ukraine to disrupt world business”] (27 June 2017), ''Reuters''.</ref>
 
|-
 
|-
! scope="row"|Purpose
+
|Purpose
 
|Primarily causing economic loss to Ukrainian entities by irreversibly encrypting their data;<ref>F Bajak and R Satter, [https://www.apnews.com/ce7a8aca506742ab8e8873e7f9f229c2/Companies-still-hobbled-from-fearsome-cyberattack “Companies still hobbled from fearsome cyberattack”] (30 June 2017), ''Associated Press''.</ref> the financial gain for the actor was most likely a cover-up (the ransom collection was too simplistic compared to the other parts of the operation and only about USD 10,000 of ransom were collected by 4 July 2017).<ref>A Hern, [https://www.theguardian.com/technology/2017/jul/05/notpetya-ransomware-hackers-ukraine-bitcoin-ransom-wallet-motives “Hackers who targeted Ukraine clean out bitcoin ransom wallet”] (5 July 2017), ''The Guardian''.</ref>
 
|Primarily causing economic loss to Ukrainian entities by irreversibly encrypting their data;<ref>F Bajak and R Satter, [https://www.apnews.com/ce7a8aca506742ab8e8873e7f9f229c2/Companies-still-hobbled-from-fearsome-cyberattack “Companies still hobbled from fearsome cyberattack”] (30 June 2017), ''Associated Press''.</ref> the financial gain for the actor was most likely a cover-up (the ransom collection was too simplistic compared to the other parts of the operation and only about USD 10,000 of ransom were collected by 4 July 2017).<ref>A Hern, [https://www.theguardian.com/technology/2017/jul/05/notpetya-ransomware-hackers-ukraine-bitcoin-ransom-wallet-motives “Hackers who targeted Ukraine clean out bitcoin ransom wallet”] (5 July 2017), ''The Guardian''.</ref>
 
|-
 
|-
! scope="row"|Result
+
|Result
 
|Estimated global economic losses exceeding USD 10 billion;<ref>A Greenberg, [https://www.wired.com/story/notpetya-cyberattack-ukraine-russia-code-crashed-the-world/ “The Untold Story of NotPetya, the Most Devastating Cyberattack in History”] (22 August 2018), ''Wired''.</ref> radiation monitoring system at Ukraine’s Chernobyl Nuclear Power Plant went offline.<ref>J Henley and O Solon, [https://www.theguardian.com/world/2017/jun/27/petya-ransomware-attack-strikes-companies-across-europe “ ‘Petya’ ransomware attack strikes companies across Europe and US”] (27 June 2018), ''The Guardian''.</ref>
 
|Estimated global economic losses exceeding USD 10 billion;<ref>A Greenberg, [https://www.wired.com/story/notpetya-cyberattack-ukraine-russia-code-crashed-the-world/ “The Untold Story of NotPetya, the Most Devastating Cyberattack in History”] (22 August 2018), ''Wired''.</ref> radiation monitoring system at Ukraine’s Chernobyl Nuclear Power Plant went offline.<ref>J Henley and O Solon, [https://www.theguardian.com/world/2017/jun/27/petya-ransomware-attack-strikes-companies-across-europe “ ‘Petya’ ransomware attack strikes companies across Europe and US”] (27 June 2018), ''The Guardian''.</ref>
 
|-
 
|-
! scope="row"|Aftermath
+
|Aftermath
 
|The campaign was followed by an extensive public attribution to Russia, which denied all allegations. No further publicly known measures were taken by the victims against Russia.
 
|The campaign was followed by an extensive public attribution to Russia, which denied all allegations. No further publicly known measures were taken by the victims against Russia.
 
|-
 
|-
! scope="row"|Analysed in
+
|Relevance
 
|[[Scenario 04: A State’s failure to assist an international organization]]<br>[[Scenario 07: Leak of State-developed hacking tools]]
 
|[[Scenario 04: A State’s failure to assist an international organization]]<br>[[Scenario 07: Leak of State-developed hacking tools]]
 
|}
 
|}

Please note that all contributions to International cyber law: interactive toolkit are considered to be released under the Creative Commons Attribution-ShareAlike 4.0 International (CC BY-SA 4.0) (see International cyber law: interactive toolkit:Copyrights for details). If you do not want your writing to be edited mercilessly and redistributed at will, then do not submit it here.
You are also promising us that you wrote this yourself, or copied it from a public domain or similar free resource. Do not submit copyrighted work without permission!

Cancel Editing help (opens in new window)