Difference between revisions of "NotPetya (2017)"
Jump to navigation
Jump to search
(Created page with "{| class="wikitable" |Date |27-28 June 2017 |- |Discovered on |27 June 2017 |- |Suspected actor |Russian Federation (official attribution statements made by Ukraine,<ref>P Pol...") |
m (Uncleistvan1BBB moved page NotPetya (mock ransomware) to NotPetya (2017)) |
||
| (7 intermediate revisions by the same user not shown) | |||
| Line 1: | Line 1: | ||
{| class="wikitable" | {| class="wikitable" | ||
| − | |Date | + | ! scope="row"|Date |
|27-28 June 2017 | |27-28 June 2017 | ||
|- | |- | ||
| − | | | + | ! scope="row"|Suspected actor |
| − | | | + | |Russian Federation (official attribution statements made by Ukraine,<ref>P Polityuk, [https://www.reuters.com/article/us-cyber-attack-ukraine/ukraine-points-finger-at-russian-security-services-in-recent-cyber-attack-idUSKBN19M39P “Ukraine points finger at Russian security services in recent cyber attack”] (1 July 2017), ''Reuters''. </ref> US and UK<ref>S Marsh, [https://www.theguardian.com/technology/2018/feb/15/uk-blames-russia-notpetya-cyber-attack-ukraine “US joins UK in blaming Russia for NotPetya cyber-attack”] (15 February 2018), ''The Guardian''.</ref>) |
|- | |- | ||
| − | | | + | ! scope="row"|Victims |
| − | | | + | |Ukrainian public and private sector (80% of affected systems);<ref>J Wakefield, [https://www.bbc.com/news/technology-40428967 “Tax software blamed for cyber-attack spread”] (28 June 2017), ''BBC News''.</ref> multinational companies (Maersk, Merck, FedEx, Saint-Gobain and others) |
|- | |- | ||
| − | + | ! scope="row"|Target systems | |
| − | |||
| − | |||
| − | |Target systems | ||
|Microsoft Windows-based systems | |Microsoft Windows-based systems | ||
|- | |- | ||
| − | |Method | + | ! scope="row"|Method |
| − | |The NotPetya malware was spread by a centralised update to the MeDoc tax accounting software used by many Ukrainian businesses.<ref>J Wakefield, [https://www.bbc.com/news/technology-40428967 “Tax software blamed for cyber-attack spread”] (28 June 2017), BBC News.</ref> The malware was using the EternalBlue exploit,<ref>K Sood and S Hurley, [https://www.crowdstrike.com/blog/petrwrap-ransomware-technical-analysis-triple-threat-file-encryption-mft-encryption-credential-theft/ “NotPetya Technical Analysis – A Triple Threat: File Encryption, MFT Encryption, Credential Theft”] (29 June 2017), CrowdStrike blog.</ref> possibly developed by the NSA, leaked by a hacker group calling itself the Shadow Brokers, and repurposed by the GRU.<ref>E Nakashima, [https://www.washingtonpost.com/world/national-security/russian-military-was-behind-notpetya-cyberattack-in-ukraine-cia-concludes/2018/01/12/048d8506-f7ca-11e7-b34a-b85626af34ef_story.html?noredirect=on&utm_term=.0a890ccf1c13 “Russian military was behind ‘NotPetya’ cyberattack in Ukraine, CIA concludes”] (12 January 2018), Washington Post.</ref> It acted as a ransomware, encrypting the target computers’ hard drives and demanding ransom in bitcoin. It was only supposed to spread through internal networks, probably to make it more targeted; however, the transnational companies which had their offices in Ukraine had their internal networks infected globally.<ref>E Auchard, J Stubbs, and A Prentice, [https://www.reuters.com/article/us-cyber-attack/new-computer-virus-spreads-from-ukraine-to-disrupt-world-business-idUSKBN19I1TD “New computer virus spreads from Ukraine to disrupt world business”] (27 June 2017), Reuters.</ref> | + | |The NotPetya malware was spread by a centralised update to the MeDoc tax accounting software used by many Ukrainian businesses.<ref>J Wakefield, [https://www.bbc.com/news/technology-40428967 “Tax software blamed for cyber-attack spread”] (28 June 2017), ''BBC News''.</ref> The malware was using the EternalBlue exploit,<ref>K Sood and S Hurley, [https://www.crowdstrike.com/blog/petrwrap-ransomware-technical-analysis-triple-threat-file-encryption-mft-encryption-credential-theft/ “NotPetya Technical Analysis – A Triple Threat: File Encryption, MFT Encryption, Credential Theft”] (29 June 2017), CrowdStrike blog.</ref> possibly developed by the NSA, leaked by a hacker group calling itself the Shadow Brokers, and repurposed by the GRU.<ref>E Nakashima, [https://www.washingtonpost.com/world/national-security/russian-military-was-behind-notpetya-cyberattack-in-ukraine-cia-concludes/2018/01/12/048d8506-f7ca-11e7-b34a-b85626af34ef_story.html?noredirect=on&utm_term=.0a890ccf1c13 “Russian military was behind ‘NotPetya’ cyberattack in Ukraine, CIA concludes”] (12 January 2018), ''Washington Post''.</ref> It acted as a ransomware, encrypting the target computers’ hard drives and demanding ransom in bitcoin. It was only supposed to spread through internal networks, probably to make it more targeted; however, the transnational companies which had their offices in Ukraine had their internal networks infected globally.<ref>E Auchard, J Stubbs, and A Prentice, [https://www.reuters.com/article/us-cyber-attack/new-computer-virus-spreads-from-ukraine-to-disrupt-world-business-idUSKBN19I1TD “New computer virus spreads from Ukraine to disrupt world business”] (27 June 2017), ''Reuters''.</ref> |
|- | |- | ||
| − | |Purpose | + | ! scope="row"|Purpose |
| − | |Primarily causing economic loss to Ukrainian entities by irreversibly encrypting their data;<ref>F Bajak and R Satter, [https://www.apnews.com/ce7a8aca506742ab8e8873e7f9f229c2/Companies-still-hobbled-from-fearsome-cyberattack “Companies still hobbled from fearsome cyberattack”] (30 June 2017), Associated Press.</ref> the financial gain for the actor was most likely a cover-up (the ransom collection was too simplistic compared to the other parts of the operation and only about USD 10,000 of ransom were collected by 4 July 2017).<ref>A Hern, [https://www.theguardian.com/technology/2017/jul/05/notpetya-ransomware-hackers-ukraine-bitcoin-ransom-wallet-motives “Hackers who targeted Ukraine clean out bitcoin ransom wallet”] (5 July 2017), The Guardian.</ref> | + | |Primarily causing economic loss to Ukrainian entities by irreversibly encrypting their data;<ref>F Bajak and R Satter, [https://www.apnews.com/ce7a8aca506742ab8e8873e7f9f229c2/Companies-still-hobbled-from-fearsome-cyberattack “Companies still hobbled from fearsome cyberattack”] (30 June 2017), ''Associated Press''.</ref> the financial gain for the actor was most likely a cover-up (the ransom collection was too simplistic compared to the other parts of the operation and only about USD 10,000 of ransom were collected by 4 July 2017).<ref>A Hern, [https://www.theguardian.com/technology/2017/jul/05/notpetya-ransomware-hackers-ukraine-bitcoin-ransom-wallet-motives “Hackers who targeted Ukraine clean out bitcoin ransom wallet”] (5 July 2017), ''The Guardian''.</ref> |
|- | |- | ||
| − | |Result | + | ! scope="row"|Result |
| − | |Estimated global economic losses exceeding USD 10 billion;<ref>A Greenberg, [https://www.wired.com/story/notpetya-cyberattack-ukraine-russia-code-crashed-the-world/ “The Untold Story of NotPetya, the Most Devastating Cyberattack in History”] (22 August 2018), Wired.</ref> radiation monitoring system at Ukraine’s Chernobyl Nuclear Power Plant went offline.<ref>J Henley and O Solon, [https://www.theguardian.com/world/2017/jun/27/petya-ransomware-attack-strikes-companies-across-europe “ ‘Petya’ ransomware attack strikes companies across Europe and US”] (27 June 2018), The Guardian.</ref> | + | |Estimated global economic losses exceeding USD 10 billion;<ref>A Greenberg, [https://www.wired.com/story/notpetya-cyberattack-ukraine-russia-code-crashed-the-world/ “The Untold Story of NotPetya, the Most Devastating Cyberattack in History”] (22 August 2018), ''Wired''.</ref> radiation monitoring system at Ukraine’s Chernobyl Nuclear Power Plant went offline.<ref>J Henley and O Solon, [https://www.theguardian.com/world/2017/jun/27/petya-ransomware-attack-strikes-companies-across-europe “ ‘Petya’ ransomware attack strikes companies across Europe and US”] (27 June 2018), ''The Guardian''.</ref> |
|- | |- | ||
| − | |Aftermath | + | ! scope="row"|Aftermath |
|The campaign was followed by an extensive public attribution to Russia, which denied all allegations. No further publicly known measures were taken by the victims against Russia. | |The campaign was followed by an extensive public attribution to Russia, which denied all allegations. No further publicly known measures were taken by the victims against Russia. | ||
|- | |- | ||
| − | | | + | ! scope="row"|Analysed in |
| − | |[[Scenario 04: A State’s failure to assist an international organization]] | + | |[[Scenario 04: A State’s failure to assist an international organization]]<br>[[Scenario 07: Leak of State-developed hacking tools]] |
| − | |||
|} | |} | ||
| + | |||
| + | Collected by: [[Tomáš Minárik]] | ||
| + | |||
| + | [[Category:Example]] | ||
| + | [[Category:2017]] | ||
Latest revision as of 08:05, 17 May 2019
| Date | 27-28 June 2017 |
|---|---|
| Suspected actor | Russian Federation (official attribution statements made by Ukraine,[1] US and UK[2]) |
| Victims | Ukrainian public and private sector (80% of affected systems);[3] multinational companies (Maersk, Merck, FedEx, Saint-Gobain and others) |
| Target systems | Microsoft Windows-based systems |
| Method | The NotPetya malware was spread by a centralised update to the MeDoc tax accounting software used by many Ukrainian businesses.[4] The malware was using the EternalBlue exploit,[5] possibly developed by the NSA, leaked by a hacker group calling itself the Shadow Brokers, and repurposed by the GRU.[6] It acted as a ransomware, encrypting the target computers’ hard drives and demanding ransom in bitcoin. It was only supposed to spread through internal networks, probably to make it more targeted; however, the transnational companies which had their offices in Ukraine had their internal networks infected globally.[7] |
| Purpose | Primarily causing economic loss to Ukrainian entities by irreversibly encrypting their data;[8] the financial gain for the actor was most likely a cover-up (the ransom collection was too simplistic compared to the other parts of the operation and only about USD 10,000 of ransom were collected by 4 July 2017).[9] |
| Result | Estimated global economic losses exceeding USD 10 billion;[10] radiation monitoring system at Ukraine’s Chernobyl Nuclear Power Plant went offline.[11] |
| Aftermath | The campaign was followed by an extensive public attribution to Russia, which denied all allegations. No further publicly known measures were taken by the victims against Russia. |
| Analysed in | Scenario 04: A State’s failure to assist an international organization Scenario 07: Leak of State-developed hacking tools |
Collected by: Tomáš Minárik
- ↑ P Polityuk, “Ukraine points finger at Russian security services in recent cyber attack” (1 July 2017), Reuters.
- ↑ S Marsh, “US joins UK in blaming Russia for NotPetya cyber-attack” (15 February 2018), The Guardian.
- ↑ J Wakefield, “Tax software blamed for cyber-attack spread” (28 June 2017), BBC News.
- ↑ J Wakefield, “Tax software blamed for cyber-attack spread” (28 June 2017), BBC News.
- ↑ K Sood and S Hurley, “NotPetya Technical Analysis – A Triple Threat: File Encryption, MFT Encryption, Credential Theft” (29 June 2017), CrowdStrike blog.
- ↑ E Nakashima, “Russian military was behind ‘NotPetya’ cyberattack in Ukraine, CIA concludes” (12 January 2018), Washington Post.
- ↑ E Auchard, J Stubbs, and A Prentice, “New computer virus spreads from Ukraine to disrupt world business” (27 June 2017), Reuters.
- ↑ F Bajak and R Satter, “Companies still hobbled from fearsome cyberattack” (30 June 2017), Associated Press.
- ↑ A Hern, “Hackers who targeted Ukraine clean out bitcoin ransom wallet” (5 July 2017), The Guardian.
- ↑ A Greenberg, “The Untold Story of NotPetya, the Most Devastating Cyberattack in History” (22 August 2018), Wired.
- ↑ J Henley and O Solon, “ ‘Petya’ ransomware attack strikes companies across Europe and US” (27 June 2018), The Guardian.