Five Eyes Nations Peg Russia as the Brains behind Petya/NotPetya
Remember Petya and NotPetya? Quick reminder: The initial version of the ucial infrastructure including its central bank, airport, metro transport, and even the Chernobyl power plant. The hackers used the Ukrainian accounting program MeDoc to spread the ransomware, and planted malware on the homepage of a prominent Ukraine-based news outlet. Fingers were pointing at Russia, especially since the ransom part of the attack seems lackluster.
In June 2017, a new version of Petya began spreading rapidly in the wild mPetya malware went live in March 2016. What first looked like a general ransomware attack, quickly turned out to be targeting Ukraine’s craking its way from the Ukraine across Europe and beyond. Dubbed NotPetya, it looked like ransomware, but its true nature was wiping systems. The campaign was targeting the Ukraine but also compromised companies in the US (Merck and Federal Express), oil company Rosneft in Russia, shipping giant A.P. Moller-Maersk in Denmark, metals manufacturer Evraz in Russia, and Ukraine's Boryspyl Airport.
Finding the actual threat group behind a cyberattack is already difficult, but figuring out what their true intentions are is even harder. What complicates matters is that nation-state hacker groups deploy tactics that are used by common cybercrooks (and vice versa). An example is the ransomware WannaCry attack that seemed to be the handiwork of hackers wanting to make money. Later, it became clear that North Korea was behind it. It does not stop there. According to US intelligence officials, Russia's GRU military hacking unit was behind the Winter Olympics 2018 cyberattacks using North Korean IP addresses and other false flags to appear that North Korea was the culprit. This tactic resembles a Russian military doctrine called "maskirovka," which is all about deceiving and confusing the victim, while also hiding the actual intent of the operation.
In case of Petya/NotPetya, the intelligence alliance Five Eyes Nations (FVEY) that consists of US, Canada, Australia, New Zealand and the UK, blames Russia. FVEY shares information between its five English-speaking member states, including intelligence about cyber attacks. The UK was the first to pin the attacks on Russia, with Canada, Australia and New Zealand following suit.
As it looks now, we can expect more state-sponsored attacks during 2018, as the latest one clearly shows. The German Federal Office for Information Security (BSI) and intelligence services are investigating a cyberattack that took place on February 28 this year. The Russian hacking group Fancy Bear aka APT28 breached the private networks of the Ministry of Defense and the Ministry of Interior. Fancy Bear is also blamed for a similar attack on the lower house of the German parliament in 2015 and on the Christian Democratic Union party of Chancellor Angela Merkel. The group was also behind the 2016's attack on the Democratic National Committee (DNC) in the US.
But it’s not only nations that are at risk from sophisticated “maskirovka”-style cyberattacks. In its recent report “Global Threat Report: Blurring the Lines between Statecraft and Tradecraft”, Crowdstrike noticed that highly sophisticated weaponry for cyber-warfare is being pushed down into the mass market and commoditized. This means that cybercrooks can use them for e.g., ransomware attacks on organizations.
To be protected, organizations of all size need to have up-do-date security solutions in place. On the proactive side, a Breach & Attack Simulation platform can be used to test the organization’s security posture. Cymulate’s BAS platform simulates multi-vector, internal or external attacks by targeting the latest vulnerabilities, including those that are in the wild. These simulated attacks (that include immediate threats) expose vulnerability gaps which allows the organization to determine if its security framework provides the right protection and if its configurations and controls are properly implemented. Since simulations can be run at anytime from anywhere, organizations can test their security posture when a new threat is announced.