Date | 27–28 June 2017 |
---|---|
Location | Ukraine [1] |
Type | Cyberattack |
Cause | Malware, ransomware, cyberterrorism |
Outcome | Affected several Ukrainian ministries, banks, metro systems and state-owned enterprises |
Suspects | Russia (according to statements of Ukrainian authorities, American Michael N. Schmitt and the CIA.) [5] [6] [7] [8] [9] |
A series of powerful cyberattacks using the Petya malware began on 27 June 2017 that swamped websites of Ukrainian organizations, including banks, ministries, newspapers and electricity firms. [10] Similar infections were reported in France, Germany, Italy, Poland, Russia, United Kingdom, the United States and Australia. [3] [11] [12] ESET estimated on 28 June 2017 that 80% of all infections were in Ukraine, with Germany second hardest hit with about 9%. [2] On 28 June 2017, the Ukrainian government stated that the attack was halted. [13] On 30 June 2017, the Associated Press reported experts agreed that Petya was masquerading as ransomware, while it was actually designed to cause maximum damage, with Ukraine being the main target. [14]
Security experts believe the attack originated from an update of a Ukrainian tax accounting package called MeDoc , developed by Intellect Service. [2] MeDoc was widely used among tax accountants in Ukraine, [15] and the software was the main option for accounting for other Ukrainian businesses, according to Mikko Hyppönen, a security expert at F-Secure. [2] MeDoc had about 400,000 customers across Ukraine, representing about 90% of the country's domestic firms, [8] and prior to the attack was installed on an estimated 1 million computers in Ukraine. [16]
MeDoc provides periodic updates to its program through an update server. On the day of the attack, 27 June 2017, an update for MeDoc was pushed out by the update server, following which the ransomware attack began to appear. British malware expert Marcus Hutchins claimed "It looks like the software's automatic update system was compromised and used to download and run malware rather than updates for the software." [2] The company that produces MeDoc claimed they had no intentional involvement in the ransomware attack, as their computer offices were also affected, and they are cooperating with law enforcement to track down the origin. [15] [17] A similar attack via MeDoc software was carried out on 18 May 2017 with the ransomware XData. Hundreds of accounting departments were affected in Ukraine. [18]
The cyberattack was based on a modified version of the Petya ransomware. Like the WannaCry ransomware attack in May 2017, Petya uses the EternalBlue exploit previously discovered in older versions of the Microsoft Windows operating system. When Petya is executed, it encrypts the Master File Table of the hard drive and forces the computer to restart. It then displays a message to the user, telling them their files are now encrypted and to send US$300 in bitcoin to one of three wallets to receive instructions to decrypt their computer. At the same time, the software exploits the Server Message Block protocol in Windows to infect local computers on the same network and any remote computers it can find. Additionally, the NotPetya software was found to use a variant of Mimikatz, a proof-of-concept exploit found in 2011 that demonstrated that user passwords had been retained in computer memory within Windows, exploiting these passwords to help spread across networks. [19]
The EternalBlue exploit had been previously identified, and Microsoft issued patches in March 2017 to shut down the exploit for Windows Vista, Windows 7, Windows 8.1, Windows 10, Windows Server 2008, Windows Server 2012, and Windows Server 2016. However, the WannaCry attack progressed through many computer systems that still used older Windows operating systems or older versions of the newer ones, which still had the exploit, or that users had not taken the steps to download the patches. Microsoft issued new patches for Windows XP, Windows Server 2003 and Windows 8 the day after the WannaCry attack. Security expert Lesley Carhart stated that "Every method of exploitation that the attack used to spread was preventable by well-documented means." [20]
Security experts found that the version of Petya used in the Ukraine cyberattacks had been modified, and consequently was renamed NotPetya or Nyetna to distinguish it from the original malware. NotPetya encrypted all of the files on the infected computers, not just the Master File Table, and in some cases the computer's files were completely wiped or rewritten in a manner that could not be undone through decryption. [21] [22] Some security experts saw that the software could intercept passwords and perform administrator-level actions that could further ruin computer files. They also noted that the software could identify specific computer systems and bypass infection of those systems, suggesting the attack was more surgical in its goal. [20] Unlike the WannaCry software, a "kill switch" was never found in NotPetya, which could have been used to immediately stop its spread. [23] According to Nicholas Weaver of the University of California the hackers had previously compromised MeDoc "made it into a remote-control Trojan, and then they were willing to burn this asset to launch this attack." [8]
During the attack the radiation monitoring system at Ukraine's Chernobyl Nuclear Power Plant went offline. [24] Several Ukrainian ministries, banks, metro systems and state-owned enterprises (Boryspil International Airport, Ukrtelecom, Ukrposhta, State Savings Bank of Ukraine, Ukrainian Railways) were affected. [25] In the infected computers, important computer files were overwritten and thus permanently damaged, despite the malware's displayed message to the user indicating that all files could be recovered "safely and easily" by meeting the attackers' demands and making the requested payment in Bitcoin currency. [26]
The attack has been seen to be more likely aimed at crippling the Ukrainian state rather than for monetary reasons. [15] The attack came on the eve of the Ukrainian public holiday, Constitution Day (celebrating the anniversary of the approval by the Verkhovna Rada (Ukraine's parliament) of the Constitution of Ukraine on 28 June 1996). [27] [28] [29] Most government offices would be empty, allowing the cyberattack to spread without interference. [15] In addition, some security experts saw the ransomware engage in wiping the affected hard drives rather than encrypting them, which would be a further disaster for companies affected by this. [15]
A short time before the cyberattack began, it was reported that a senior intelligence officer and head of a special forces detachment unit of the Ukrainian Chief Directorate of Intelligence, colonel Maksym Shapoval, was assassinated in Kyiv by a car bomb. [30] Former government adviser in Georgia and Moldova Molly K. McKew believed this assassination was related to the cyberattack. [31]
On 28 June 2017 the Ukrainian government stated that the attack was halted, "The situation is under complete control of the cyber security specialists, they are now working to restore the lost data." [13]
Following the initial 27 June attack, security experts found that the code that had infected the M.E.Doc update had a backdoor that could potentially be used to launch another cyberattack. On seeing signs of another cyberattack, the Ukrainian police raided the offices of MeDoc on 4 July 2017 and seized their servers. MeDoc's CEO stated that they were not aware there had been a backdoor installed on their servers, again refuted their involvement in the attack, and were working to help authorities identify the source. [16] [32] Security company ESET found that the backdoor had been installed on MeDoc's updater service as early as 15 May 2017, while experts from Cisco Systems' Talos group found evidence of the backdoor as early as April 2017; either situation points to the cyberattack as a "thoroughly well-planned and well-executed operation". [33] Ukrainian officials have stated that Intellect Service will "face criminal responsibility", as they were previously warned about lax security on their servers by anti-virus firms prior to these events but did not take steps to prevent it. [34] Talos warned that due to the large size of the MeDoc update that contained the NotPetya malware (1.5 gigabytes), there may have been other backdoors that they have yet to find, and another attack could be possible. [33]
On 30 June, the Security Service of Ukraine (SBU) reported it had seized the equipment that had been used to launch the cyberattack, claiming it to have belonged to Russian agents responsible for launching the attack. [35] On 1 July 2017 the SBU claimed that available data showed that the same perpetrators who in Ukraine in December 2016 attacked the financial system, transport and energy facilities of Ukraine (using TeleBots and BlackEnergy) [36] were the same hacking groups who attacked Ukraine on 27 June 2017. "This testifies to the involvement of the special services of Russian Federation in this attack," it concluded. [7] [37] (A December 2016 cyber attack on a Ukrainian state energy computer caused a power cut in the northern part of the capital, Kyiv). [7] Russia–Ukraine relations are at a frozen state since Russia's 2014 annexation of Crimea followed by a Russian government-backed separatist insurgency in eastern Ukraine in which more than 10,000 people had died by late June 2017. [7] (Russia has repeatedly denied sending troops or military equipment to eastern Ukraine). [7] Ukraine claims that hacking Ukrainian state institutions is part of what they describe as a "hybrid war" by Russia on Ukraine. [7]
On 30 June 2017, cyber security firm ESET claimed that the Telebots group (which they claimed had links to BlackEnergy) was behind the attack: "Prior to the outbreak, the Telebots group targeted mainly the financial sector. The latest outbreak was directed against businesses in Ukraine, but they apparently underestimated the malware's spreading capabilities. That's why the malware went out of control." [7] ESET had earlier reported that BlackEnergy had been targeting Ukrainian cyber infrastructure since 2014. [38] In December 2016, ESET had concluded that TeleBots had evolved from the BlackEnergy hackers and that TeleBots had been using cyberattacks to sabotage the Ukrainian financial sector during the second half of 2016. [39]
Around the time of 4 July raid on MeDoc, the $10,000 in bitcoin already collected in the listed wallets for NotPetya had been collected, and experts believed it was used to buy space on the anonymous Tor network. One message posted there purportedly from the NotPetya authors demanded 100,000 bitcoin (about $2.6 million) to halt the attack and decrypt all affected files. [16] On 5 July 2017, a second message purportedly from the NotPetya authors was posted in a Tor website, demanding those that wish to decrypt their files send 100 bitcoin (approximately $250,000). The message was signed with the same private key used by the original Petya ransomware, suggesting the same group was responsible for both. [40]
According to reports cited in January 2018 the United States Central Intelligence Agency claimed Russia was behind the cyberattack, with Russia's Main Intelligence Directorate (GRU) having designed NotPetya. [41] Similarly, the United Kingdom Ministry of Defence accused Russia in February 2018 of launching the cyberattack, that by attacking systems in the Ukraine, the cyberattack would spread and affect major systems in the United Kingdom and elsewhere. Russia had denied its involvement, pointing out that Russian systems were also impacted by the attack. [42]
Wired technology writer Andy Greenberg, in reviewing the history of the cyberattacks, said that the attacks came from a Russian military hacker group called "Sandworm". Greenberg asserted that Sandworm was behind the 2016 blackouts in Kyiv, among other events. The group had been focusing on hacking into Ukraine's financial sector, and sometime in early 2017, had been able to gain access to M.E. Doc's update servers, so that it could be used maliciously to send out the cyberattack in June 2017. [19]
Companies affected include Antonov, Kyivstar, Vodafone Ukraine, lifecell, TV channels STB, ICTV and ATR, Kyiv Metro, UkrGasVydobuvannya (UGV), gas stations WOG, DTEK, EpiCentre K, Kyiv International Airport (Zhuliany), Prominvestbank, Ukrsotsbank, KredoBank, Oshchadbank and others, [13] with over 1,500 legal entities and individuals having contacted the National Police of Ukraine to indicate that they had been victimized by 27 June 2017 cyberattack. [43] Oshchadbank was again fully functional on 3 July 2017. [44] Ukraine's electricity company's computers also went offline due to the attack; but the company continued to fully operate without using computers. [8]
While more than 80% of affected companies were from Ukraine,[ needs update ] the ransomware also spread to several companies in other geolocations, due to those businesses having offices in Ukraine and networking around the globe. Non-Ukrainian companies reporting incidents related to the attack include food processor Mondelez International, [45] the APM Terminals subsidiary of international shipping company A.P. Moller-Maersk, the FedEx shipping subsidiary TNT Express (in August 2017 its deliveries were still disrupted due to the attack), [46] Chinese shipping company COFCO Group, French construction materials company Saint Gobain, [47] advertising agency WPP plc, [48] Heritage Valley Health System of Pittsburgh, [49] law firm DLA Piper, [50] pharmaceutical company Merck & Co., [51] consumer goods maker Reckitt Benckiser, and software provider Nuance Communications. [52] A Ukrainian police officer believes that the ransomware attack was designed to go global so as to distract from the directed cyberattack on Ukraine. [53]
The cost of the cyberattack had yet to be determined, as, after a week of its initial attack, companies were still working to mitigate the damage. Reckitt Benckiser lowered its sales estimates by 2% (about $130 million) for the second quarter primarily due to the attack that affected its global supply chain. [52] [54] Tom Bossert, the Homeland Security adviser to the President of the United States, stated that the total damage was over US$10 billion. [19] Among estimated damages to specific companies included over US$870 million to Merck, US$400 million to FedEx, US$384 million to Saint-Gobain, and US$300 million to Maersk. [19]
Secretary of the National Security and Defence Council of Ukraine Oleksandr Turchynov claimed there were signs of Russian involvement in the 27 June cyberattack, although he did not give any direct evidence. [55] Russian officials have denied any involvement, calling Ukraine's claims "unfounded blanket accusations". [35] NATO Secretary-General Jens Stoltenberg vowed on 28 June 2017 that NATO would continue its support for Ukraine to strengthen its cyber defence. [56] The White House Press Secretary released a statement on 15 February 2018 attributing the attack to the Russian military, calling it "the most destructive and costly cyberattack in history." [57]
IT-businessman, chairman of the supervisory board of the Oktava Capital company Oleksandr Kardakov proposed to create civil cyber defense in Ukraine. [58]
ESET, s.r.o., is a software company specializing in cybersecurity. ESET's security products are made in Europe and provides security software in over 200 countries and territories worldwide. Its software is localized into more than 30 languages.
Ransomware is a type of malware that permanently blocks access to the victim's personal data unless a "ransom" is paid. While some simple ransomware may lock the system without damaging any files, more advanced malware uses a technique called cryptoviral extortion. It encrypts the victim's files, making them inaccessible, and demands a ransom payment to decrypt them. In a properly implemented cryptoviral extortion attack, recovering the files without the decryption key is an intractable problem, and difficult-to-trace digital currencies such as paysafecard or Bitcoin and other cryptocurrencies are used for the ransoms, making tracing and prosecuting the perpetrators difficult.
A supply chain attack is a cyber-attack that seeks to damage an organization by targeting less secure elements in the supply chain. A supply chain attack can occur in any industry, from the financial sector, oil industry, to a government sector. A supply chain attack can happen in software or hardware. Cybercriminals typically tamper with the manufacturing or distribution of a product by installing malware or hardware-based spying components. Symantec's 2019 Internet Security Threat Report states that supply chain attacks increased by 78 percent in 2018.
Cyberwarfare by Russia includes denial of service attacks, hacker attacks, dissemination of disinformation and propaganda, participation of state-sponsored teams in political blogs, internet surveillance using SORM technology, persecution of cyber-dissidents and other active measures. According to investigative journalist Andrei Soldatov, some of these activities were coordinated by the Russian signals intelligence, which was part of the FSB and formerly a part of the 16th KGB department. An analysis by the Defense Intelligence Agency in 2017 outlines Russia's view of "Information Countermeasures" or IPb as "strategically decisive and critically important to control its domestic populace and influence adversary states", dividing 'Information Countermeasures' into two categories of "Informational-Technical" and "Informational-Psychological" groups. The former encompasses network operations relating to defense, attack, and exploitation and the latter to "attempts to change people's behavior or beliefs in favor of Russian governmental objectives."
In computer security, a wiper is a class of malware intended to erase the hard drive or other static memory of the computer it infects, maliciously deleting data and programs.
Cyberweapons are commonly defined as malware agents employed for military, paramilitary, or intelligence objectives as part of a cyberattack. This includes computer viruses, trojans, spyware, and worms that can introduce malicious code into existing software, causing a computer to perform actions or processes unintended by its operator.
The CryptoLocker ransomware attack was a cyberattack using the CryptoLocker ransomware that occurred from 5 September 2013 to late May 2014. The attack utilized a trojan that targeted computers running on Microsoft Windows, and was believed to have first been posted to the Internet on 5 September 2013. It propagated via infected email attachments, and via an existing Gameover ZeuS botnet. When activated, the malware encrypted certain types of files stored on local and mounted network drives using RSA public-key cryptography, with the private key stored only on the malware's control servers. The malware then displayed a message which offered to decrypt the data if a payment was made by a stated deadline, and it threatened to delete the private key if the deadline passes. If the deadline was not met, the malware offered to decrypt data via an online service provided by the malware's operators, for a significantly higher price in bitcoin. There was no guarantee that payment would release the encrypted content.
The Shadow Brokers (TSB) is a hacker group who first appeared in the summer of 2016. They published several leaks containing hacking tools, including several zero-day exploits, from the "Equation Group" who are widely suspected to be a branch of the National Security Agency (NSA) of the United States. Specifically, these exploits and vulnerabilities targeted enterprise firewalls, antivirus software, and Microsoft products. The Shadow Brokers originally attributed the leaks to the Equation Group threat actor, who have been tied to the NSA's Tailored Access Operations unit.
The WannaCry ransomware attack was a worldwide cyberattack in May 2017 by the WannaCry ransomware cryptoworm, which targeted computers running the Microsoft Windows operating system by encrypting data and demanding ransom payments in the Bitcoin cryptocurrency. It was propagated by using EternalBlue, an exploit developed by the United States National Security Agency (NSA) for Windows systems. EternalBlue was stolen and leaked by a group called The Shadow Brokers a month prior to the attack. While Microsoft had released patches previously to close the exploit, much of WannaCry's spread was from organizations that had not applied these, or were using older Windows systems that were past their end of life. These patches were imperative to cyber security, but many organizations did not apply them, citing a need for 24/7 operation, the risk of formerly working applications breaking because of the changes, lack of personnel or time to install them, or other reasons.
EternalBlue is a computer exploit software developed by the U.S. National Security Agency (NSA). It is based on a vulnerability in Microsoft Windows that allowed users to gain access to any number of computers connected to a network. The NSA knew about this vulnerability but did not disclose it to Microsoft for several years, since they planned to use it as a defense mechanism against cyber attacks. In 2017, the NSA discovered that the software was stolen by a group of hackers known as the Shadow Brokers. Microsoft was informed of this and released security updates in March 2017 patching the vulnerability. While this was happening, the hacker group attempted to auction off the software, but did not succeed in finding a buyer. EternalBlue was then publicly released on April 14, 2017.
Petya is a family of encrypting malware that was first discovered in 2016. The malware targets Microsoft Windows–based systems, infecting the master boot record to execute a payload that encrypts a hard drive's file system table and prevents Windows from booting. It subsequently demands that the user make a payment in Bitcoin in order to regain access to the system.
The city of Atlanta, Georgia was the subject of a ransomware attack which began in March 2018. The city recognized the attack on Thursday, March 22, 2018, and publicly acknowledged it was a ransomware attack.
Cisco Talos, or Cisco Talos Intelligence Group, is a cybersecurity technology and information security company based in Fulton, Maryland. It is a part of Cisco Systems Inc. Talos' threat intelligence powers Cisco Secure products and services, including malware detection and prevention systems. Talos provides Cisco customers and internet users with customizable defensive technologies and techniques through several of their own open-source products, including the Snort intrusion prevention system and ClamAV anti-virus engine.
Cyberwarfare is a component of the confrontation between Russia and Ukraine since the Revolution of Dignity in 2013-2014. While the first attacks on information systems of private enterprises and state institutions of Ukraine were recorded during mass protests in 2013, Russian cyberweapon Uroburos had been around since 2005. Russian cyberwarfare continued with the 2015 Ukraine power grid hack at Christmas 2015 and again in 2016, paralysis of the State Treasury of Ukraine in December 2016, a Mass hacker supply-chain attack in June 2017 and attacks on Ukrainian government websites in January 2022.
Trickbot was a trojan for Microsoft Windows and other operating systems. Its major function was originally the theft of banking details and other credentials, but its operators have extended its capabilities to create a complete modular malware ecosystem.
Sandworm is an advanced persistent threat operated by Military Unit 74455, a cyberwarfare unit of the GRU, Russia's military intelligence service. Other names for the group, given by cybersecurity researchers, include APT44, Telebots, Voodoo Bear, IRIDIUM, Seashell Blizzard, and Iron Viking.
Ryuk is a type of ransomware known for targeting large, public-entity Microsoft Windows cybersystems. It typically encrypts data on an infected system, rendering the data inaccessible until a ransom is paid in untraceable bitcoin. Ryuk is believed to be used by two or more criminal groups, most likely Russian or Ukrainian, who target organizations rather than individual consumers.
During the prelude to the Russian invasion of Ukraine and the Russian invasion of Ukraine, multiple cyberattacks against Ukraine were recorded, as well as some attacks on Russia. The first major cyberattack took place on 14 January 2022, and took down more than a dozen of Ukraine's government websites. According to Ukrainian officials, around 70 government websites, including the Ministry of Foreign Affairs, the Cabinet of Ministers, and the National and Defense Council (NSDC), were attacked. Most of the sites were restored within hours of the attack. On 15 February, another cyberattack took down multiple government and bank services.
{{cite news}}
: CS1 maint: multiple names: authors list (link)