Endpoint Security , Fraud Management & Cybercrime , Next-Generation Technologies & Secure Development

NotPetya: From Russian Intelligence, With Love

CIA Reportedly Believes Russian Military Launched Wiper Disguised as Ransomware
NotPetya: From Russian Intelligence, With Love
NotPetya outbreak ground zero: Kiev-based servers hosting M.E. Doc software updates. (Source: Ukrainian police)

A new report says that the CIA has attributed last year's NotPetya malware outbreak to the Russian military.

See Also: The Essential Guide to MITRE ATT&CK Round 4

Citing no sources by name, The Washington Post report instead references "classified reports cited by U.S. intelligence officials." It says the CIA concluded last November with "high confidence" that Russia's GRU military intelligence agency was behind NotPetya, aka SortaPetya, Petna, ExPetr, Diskcoder.C, Nyetya and GoldenEye.

The CIA didn't immediately respond to a request for comment about the report.

European intelligence agencies also reportedly attributed NotPetya to the Kremlin, which may have been probing how quickly Ukraine could respond to a cyberattack.

The Ukrainian government was quick to blame Russia for unleashing NotPetya. The Kremlin has denied those accusations.

But the NotPetya attribution squares with numerous private sector assessments. While NotPetya first appeared to be a ransomware outbreak predicated on monetary gain, many researchers, including Dubai-based incident response expert Matthieu Suiche, quickly concluded that NotPetya was instead designed explicitly to cause chaos and delete data, leaving systems unrecoverable. As researchers at Moscow-based security firm Kaspersky Lab wrote last June, "it appears it was designed as a wiper pretending to be ransomware."

The malware outbreak began on May 27, 2017, via "a very stealthy and cunning backdoor" added to source code of accountancy software called M.E. Doc, which is widely used in Ukraine, according to Slovakian security firm ESET. Police in Ukraine ultimately raided Kiev-based Intellect Service, which develops the software, seizing its update servers (see Police Seize Backdoored Firm's Servers to Stop Attacks).

Ground zero for NotPetya was Ukraine. But the malware spread to Ukrainian business partners in many other countries, including Russia, Poland, Italy, Germany, Denmark, the United Kingdom and the United States (see Maersk Previews NotPetya Impact: Up to $300 Million).

Detections of NotPetya malware outbreaks - as of 9:00 a.m. PDT on June 28, 2017 - by ESET.

Fake News as a Weapon

Intelligence experts say NotPetya follows in the mold of the Kremlin's previous tactics, which increasingly blend traditional military campaigns with information warfare and cyberattacks, seeming to probe for weak points not just in military and cybersecurity defenses, but also government policy (see No Shock: Russia Confirms 'Cyber War' Efforts).

One favored Kremlin tactic is the so-called 4D campaign - for dismiss, distort, distract and dismay - according to former U.S. Ambassador to Germany John B. Emerson. In a 2015 speech, he warned that the Russian government was becoming more expert at running these types of propaganda campaigns (see The US Presidential Election Hacker Who Wasn't).

"It's a pattern of more bold, aggressive action," says Robert Hannigan, former head of Britain's GCHQ intelligence agency, describing Russia's hybrid warfare tactics to The Washington Post.

Indeed, NotPetya is not an isolated incident. Counting NotPetya, by last summer Ukraine had been hit by four look-alike malware strains, including XData, PSCrypt and a WannaCry look-alike (see Ukraine Power Supplier Hit by WannaCry Look-alike).

Many information security experts believe Russia is using Ukraine as a cyberattack test bed. Many also believe other hacking groups, including Fancy Bear - aka Sofacy, Pawn Storm and APT28, among other names - are tied to the GRU (see Fancy Bear Targets US Senate, Security Researchers Warn).

The Shadow Brokers Connection

Meanwhile, there's The Shadow Brokers, a group that first appeared in August 2016 and began leaking multiple attacks built by the Equation Group, which many believe is the U.S. National Security Agency.

Those attacks included EternalBlue, which targets a flaw in server message block, or SMB, version 1 protocol in Windows that Microsoft has patched (see Eternally Blue? Scanner Finds EternalBlue Still Widespread).

After EternalBlue was leaked on April 14, 2017, WannaCry and later NotPetya used the exploit to spread rapidly. While the identity of The Shadow Brokers remains an open question, many believe it's a Russian intelligence operation.

"I've long suspected EternalBlue was burned to take media focus away from Russian hacking and put it on U.S. hacking," Jake Williams, head of cybersecurity consultancy Rendition Infosec, says via Twitter.

Kaspersky Lab Questions

The Russian government may have obtained EternalBlue and other exploits after an NSA employee, 67-year old Nghia Hoang Pho, took home classified information and installed it on his home PC, which was running Kaspersky Lab's anti-virus software as well as a pirated and potentially backdoored copy of Microsoft Office 2013 (see Spy Whose Files Were Plucked by Kaspersky Pleads Guilty).

U.S. officials, speaking on background, have claimed that the Russian government used Kaspersky Lab's telemetry network and endpoint software to scan for keywords tied to U.S. intelligence operations (see Kaspersky Lab Says It Spotted APT Code, Quickly Deleted It).

Kaspersky Lab, however, has continued to deny any wrongdoing and warned against heeding "unverified opinions" and "unsubstantiated allegations" against it. "We have never helped and will never help any government with its cyber espionage efforts, and we have no ties with Shadow Brokers or any other cyber-threat actor," the company says in a statement.

"We are committed to demonstrating our trustworthiness with our Global Transparency Initiative," it adds (see Kaspersky Opens Up Code to Refute Spying Allegations).

Information security experts say it's unlikely that the U.S. government or anyone else who believes that the Russian government used Kaspersky Lab's software to spy on systems would ever release evidence to back up that assertion, because it might expose intelligence-gathering methods. But this failure to produce any hard evidence means that Kaspersky Lab has no opportunity to refute it.

"For political and commercial reasons Kaspersky has been put in the impossible position of trying to prove two negatives: one, that there are no back doors in its code and, two, that it is not an agent of the Russian intelligence community," says information assurance trainer William Hugh Murray. "Those who choose to believe these baseless charges are not going to be convinced by argument or evidence."

About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe, ISMG

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing bankinfosecurity.com, you agree to our use of cookies.