Difference between revisions of "NotPetya (2017)"

From International cyber law: interactive toolkit
Jump to navigation Jump to search
m (Uncleistvan1BBB moved page NotPetya (mock ransomware) to NotPetya (2017))
 
(4 intermediate revisions by the same user not shown)
Line 1: Line 1:
 
{| class="wikitable"
 
{| class="wikitable"
|Date
+
! scope="row"|Date
 
|27-28 June 2017
 
|27-28 June 2017
 
|-
 
|-
|Discovered on
+
! scope="row"|Suspected actor
|27 June 2017
 
|-
 
|Suspected actor
 
 
|Russian Federation (official attribution statements made by Ukraine,<ref>P Polityuk, [https://www.reuters.com/article/us-cyber-attack-ukraine/ukraine-points-finger-at-russian-security-services-in-recent-cyber-attack-idUSKBN19M39P “Ukraine points finger at Russian security services in recent cyber attack”] (1 July 2017), ''Reuters''. </ref> US and UK<ref>S Marsh, [https://www.theguardian.com/technology/2018/feb/15/uk-blames-russia-notpetya-cyber-attack-ukraine “US joins UK in blaming Russia for NotPetya cyber-attack”] (15 February 2018), ''The Guardian''.</ref>)
 
|Russian Federation (official attribution statements made by Ukraine,<ref>P Polityuk, [https://www.reuters.com/article/us-cyber-attack-ukraine/ukraine-points-finger-at-russian-security-services-in-recent-cyber-attack-idUSKBN19M39P “Ukraine points finger at Russian security services in recent cyber attack”] (1 July 2017), ''Reuters''. </ref> US and UK<ref>S Marsh, [https://www.theguardian.com/technology/2018/feb/15/uk-blames-russia-notpetya-cyber-attack-ukraine “US joins UK in blaming Russia for NotPetya cyber-attack”] (15 February 2018), ''The Guardian''.</ref>)
 
|-
 
|-
|Victims
+
! scope="row"|Victims
 
|Ukrainian public and private sector (80% of affected systems);<ref>J Wakefield, [https://www.bbc.com/news/technology-40428967 “Tax software blamed for cyber-attack spread”] (28 June 2017), ''BBC News''.</ref> multinational companies (Maersk, Merck, FedEx, Saint-Gobain and others)
 
|Ukrainian public and private sector (80% of affected systems);<ref>J Wakefield, [https://www.bbc.com/news/technology-40428967 “Tax software blamed for cyber-attack spread”] (28 June 2017), ''BBC News''.</ref> multinational companies (Maersk, Merck, FedEx, Saint-Gobain and others)
 
|-
 
|-
|Target systems
+
! scope="row"|Target systems
 
|Microsoft Windows-based systems
 
|Microsoft Windows-based systems
 
|-
 
|-
|Method
+
! scope="row"|Method
 
|The NotPetya malware was spread by a centralised update to the MeDoc tax accounting software used by many Ukrainian businesses.<ref>J Wakefield, [https://www.bbc.com/news/technology-40428967 “Tax software blamed for cyber-attack spread”] (28 June 2017), ''BBC News''.</ref> The malware was using the EternalBlue exploit,<ref>K Sood and S Hurley, [https://www.crowdstrike.com/blog/petrwrap-ransomware-technical-analysis-triple-threat-file-encryption-mft-encryption-credential-theft/ “NotPetya Technical Analysis – A Triple Threat: File Encryption, MFT Encryption, Credential Theft”] (29 June 2017), CrowdStrike blog.</ref> possibly developed by the NSA, leaked by a hacker group calling itself the Shadow Brokers, and repurposed by the GRU.<ref>E Nakashima, [https://www.washingtonpost.com/world/national-security/russian-military-was-behind-notpetya-cyberattack-in-ukraine-cia-concludes/2018/01/12/048d8506-f7ca-11e7-b34a-b85626af34ef_story.html?noredirect=on&utm_term=.0a890ccf1c13 “Russian military was behind ‘NotPetya’ cyberattack in Ukraine, CIA concludes”] (12 January 2018), ''Washington Post''.</ref> It acted as a ransomware, encrypting the target computers’ hard drives and demanding ransom in bitcoin. It was only supposed to spread through internal networks, probably to make it more targeted; however, the transnational companies which had their offices in Ukraine had their internal networks infected globally.<ref>E Auchard, J Stubbs, and A Prentice, [https://www.reuters.com/article/us-cyber-attack/new-computer-virus-spreads-from-ukraine-to-disrupt-world-business-idUSKBN19I1TD “New computer virus spreads from Ukraine to disrupt world business”] (27 June 2017), ''Reuters''.</ref>
 
|The NotPetya malware was spread by a centralised update to the MeDoc tax accounting software used by many Ukrainian businesses.<ref>J Wakefield, [https://www.bbc.com/news/technology-40428967 “Tax software blamed for cyber-attack spread”] (28 June 2017), ''BBC News''.</ref> The malware was using the EternalBlue exploit,<ref>K Sood and S Hurley, [https://www.crowdstrike.com/blog/petrwrap-ransomware-technical-analysis-triple-threat-file-encryption-mft-encryption-credential-theft/ “NotPetya Technical Analysis – A Triple Threat: File Encryption, MFT Encryption, Credential Theft”] (29 June 2017), CrowdStrike blog.</ref> possibly developed by the NSA, leaked by a hacker group calling itself the Shadow Brokers, and repurposed by the GRU.<ref>E Nakashima, [https://www.washingtonpost.com/world/national-security/russian-military-was-behind-notpetya-cyberattack-in-ukraine-cia-concludes/2018/01/12/048d8506-f7ca-11e7-b34a-b85626af34ef_story.html?noredirect=on&utm_term=.0a890ccf1c13 “Russian military was behind ‘NotPetya’ cyberattack in Ukraine, CIA concludes”] (12 January 2018), ''Washington Post''.</ref> It acted as a ransomware, encrypting the target computers’ hard drives and demanding ransom in bitcoin. It was only supposed to spread through internal networks, probably to make it more targeted; however, the transnational companies which had their offices in Ukraine had their internal networks infected globally.<ref>E Auchard, J Stubbs, and A Prentice, [https://www.reuters.com/article/us-cyber-attack/new-computer-virus-spreads-from-ukraine-to-disrupt-world-business-idUSKBN19I1TD “New computer virus spreads from Ukraine to disrupt world business”] (27 June 2017), ''Reuters''.</ref>
 
|-
 
|-
|Purpose
+
! scope="row"|Purpose
 
|Primarily causing economic loss to Ukrainian entities by irreversibly encrypting their data;<ref>F Bajak and R Satter, [https://www.apnews.com/ce7a8aca506742ab8e8873e7f9f229c2/Companies-still-hobbled-from-fearsome-cyberattack “Companies still hobbled from fearsome cyberattack”] (30 June 2017), ''Associated Press''.</ref> the financial gain for the actor was most likely a cover-up (the ransom collection was too simplistic compared to the other parts of the operation and only about USD 10,000 of ransom were collected by 4 July 2017).<ref>A Hern, [https://www.theguardian.com/technology/2017/jul/05/notpetya-ransomware-hackers-ukraine-bitcoin-ransom-wallet-motives “Hackers who targeted Ukraine clean out bitcoin ransom wallet”] (5 July 2017), ''The Guardian''.</ref>
 
|Primarily causing economic loss to Ukrainian entities by irreversibly encrypting their data;<ref>F Bajak and R Satter, [https://www.apnews.com/ce7a8aca506742ab8e8873e7f9f229c2/Companies-still-hobbled-from-fearsome-cyberattack “Companies still hobbled from fearsome cyberattack”] (30 June 2017), ''Associated Press''.</ref> the financial gain for the actor was most likely a cover-up (the ransom collection was too simplistic compared to the other parts of the operation and only about USD 10,000 of ransom were collected by 4 July 2017).<ref>A Hern, [https://www.theguardian.com/technology/2017/jul/05/notpetya-ransomware-hackers-ukraine-bitcoin-ransom-wallet-motives “Hackers who targeted Ukraine clean out bitcoin ransom wallet”] (5 July 2017), ''The Guardian''.</ref>
 
|-
 
|-
|Result
+
! scope="row"|Result
 
|Estimated global economic losses exceeding USD 10 billion;<ref>A Greenberg, [https://www.wired.com/story/notpetya-cyberattack-ukraine-russia-code-crashed-the-world/ “The Untold Story of NotPetya, the Most Devastating Cyberattack in History”] (22 August 2018), ''Wired''.</ref> radiation monitoring system at Ukraine’s Chernobyl Nuclear Power Plant went offline.<ref>J Henley and O Solon, [https://www.theguardian.com/world/2017/jun/27/petya-ransomware-attack-strikes-companies-across-europe “ ‘Petya’ ransomware attack strikes companies across Europe and US”] (27 June 2018), ''The Guardian''.</ref>
 
|Estimated global economic losses exceeding USD 10 billion;<ref>A Greenberg, [https://www.wired.com/story/notpetya-cyberattack-ukraine-russia-code-crashed-the-world/ “The Untold Story of NotPetya, the Most Devastating Cyberattack in History”] (22 August 2018), ''Wired''.</ref> radiation monitoring system at Ukraine’s Chernobyl Nuclear Power Plant went offline.<ref>J Henley and O Solon, [https://www.theguardian.com/world/2017/jun/27/petya-ransomware-attack-strikes-companies-across-europe “ ‘Petya’ ransomware attack strikes companies across Europe and US”] (27 June 2018), ''The Guardian''.</ref>
 
|-
 
|-
|Aftermath
+
! scope="row"|Aftermath
 
|The campaign was followed by an extensive public attribution to Russia, which denied all allegations. No further publicly known measures were taken by the victims against Russia.
 
|The campaign was followed by an extensive public attribution to Russia, which denied all allegations. No further publicly known measures were taken by the victims against Russia.
 
|-
 
|-
|Relevance
+
! scope="row"|Analysed in
 
|[[Scenario 04: A State’s failure to assist an international organization]]<br>[[Scenario 07: Leak of State-developed hacking tools]]
 
|[[Scenario 04: A State’s failure to assist an international organization]]<br>[[Scenario 07: Leak of State-developed hacking tools]]
 
|}
 
|}
 +
 +
Collected by: [[Tomáš Minárik]]
  
 
[[Category:Example]]
 
[[Category:Example]]
 +
[[Category:2017]]

Latest revision as of 08:05, 17 May 2019

Date 27-28 June 2017
Suspected actor Russian Federation (official attribution statements made by Ukraine,[1] US and UK[2])
Victims Ukrainian public and private sector (80% of affected systems);[3] multinational companies (Maersk, Merck, FedEx, Saint-Gobain and others)
Target systems Microsoft Windows-based systems
Method The NotPetya malware was spread by a centralised update to the MeDoc tax accounting software used by many Ukrainian businesses.[4] The malware was using the EternalBlue exploit,[5] possibly developed by the NSA, leaked by a hacker group calling itself the Shadow Brokers, and repurposed by the GRU.[6] It acted as a ransomware, encrypting the target computers’ hard drives and demanding ransom in bitcoin. It was only supposed to spread through internal networks, probably to make it more targeted; however, the transnational companies which had their offices in Ukraine had their internal networks infected globally.[7]
Purpose Primarily causing economic loss to Ukrainian entities by irreversibly encrypting their data;[8] the financial gain for the actor was most likely a cover-up (the ransom collection was too simplistic compared to the other parts of the operation and only about USD 10,000 of ransom were collected by 4 July 2017).[9]
Result Estimated global economic losses exceeding USD 10 billion;[10] radiation monitoring system at Ukraine’s Chernobyl Nuclear Power Plant went offline.[11]
Aftermath The campaign was followed by an extensive public attribution to Russia, which denied all allegations. No further publicly known measures were taken by the victims against Russia.
Analysed in Scenario 04: A State’s failure to assist an international organization
Scenario 07: Leak of State-developed hacking tools

Collected by: Tomáš Minárik