The NotPetya cyberattack, which occurred on June 27, 2017, is considered one of the most destructive cyberattacks in history. It began in Ukraine and quickly spread globally, affecting numerous organizations and causing over $10 billion in damages. The attack was attributed to a group of Russian hackers known as the SandWorm team, recognized as a military unit of the Russian intelligence service GRU.
NotPetya targeted systems to infect them and destroy data, exploiting vulnerabilities in computer systems of multiple companies and government agencies. The malware overwrote the Master Boot Record of the system with a malicious payload, attempting to force a “hard error” within Windows to reboot the system. If that failed, it created a task on the Windows system to initiate a reboot after a set delay. Upon reboot, the code executed and encrypted user files on the system.
The attack used the MS017-010 vulnerability exploit, also known as “EternalBlue,” to spread. Additionally, it harvested credentials from infected machines and used other techniques like PSEXEC and/or Windows Management Instrumentation (WMI) to move laterally throughout a network and infect other machines.
In Ukraine, the attack crippled ports, paralyzed corporations, and froze government agencies. It affected at least four hospitals in Kiev, six power companies, two airports, more than 22 Ukrainian banks, ATMs, and card payment systems in retailers and transport, and practically every federal agency. The attack even shut down the computers used by scientists at the Chernobyl cleanup site.
Globally, the attack affected multinational companies including Maersk, pharmaceutical giant Merck, FedEx’s European subsidiary TNT Express, Saint-Gobain, Mondelēz, and Reckitt Benckiser, inflicting nine-figure costs in each case.
The NotPetya attack highlighted the need for international cooperation in identifying and responding to state-sponsored cyberattacks. In February 2018, the United States, the United Kingdom, Denmark, Lithuania, Estonia, Canada, and Australia met to agree on a joint response with the support of New Zealand, Finland, Norway, Latvia, and Sweden. Sanctions were imposed against Russia since 2018 to restrict its access to the international market and contain its potential for further cyber capabilities.
The NotPetya case study underscores the importance of cybersecurity measures and international collaboration in mitigating the impact of state-sponsored cyberattacks.
Looking at this in a little more detail…
The NotPetya cyberattack, which emerged on June 27, 2017, is a significant case study in the realm of cyberwarfare and international law. This attack, initially disguised as ransomware, quickly revealed its true nature as a highly destructive wiper, causing widespread damage to organizations and governments worldwide. The following detailed analysis covers the technical aspects, impact, attribution, and legal implications of the NotPetya attack.
Technical Aspects of the NotPetya Attack
Initial Infection and Propagation
NotPetya initially infected systems through a compromised update of M.E.Doc, a popular Ukrainian accounting software. The malware exploited the EternalBlue vulnerability (CVE-2017-0144) in the Server Message Block (SMB) protocol of Windows systems, which had been previously leaked by the Shadow Brokers group. Once inside a network, NotPetya employed a multi-stage infection process:
- Initial Access: The malware used the EternalBlue exploit to gain initial access to a system.
- Credential Theft: Tools like Mimikatz were used to steal user credentials and escalate privileges.
- Lateral Movement: NotPetya leveraged legitimate administrative tools such as PsExec and Windows Management Instrumentation (WMI) to propagate across interconnected systems.
Malware Behavior
Upon infecting a system, NotPetya overwrote the Master Boot Record (MBR) and the Master File Table (MFT), rendering the affected systems inoperable. It then displayed a ransom note, demanding a Bitcoin payment for the decryption key. However, the attackers’ email address had been shut down, making it impossible for victims to communicate and recover their data. The primary objective of NotPetya was to disrupt operations and destroy data, not to generate financial gain.
Impact of the NotPetya Attack
Financial and Operational Damage
The NotPetya attack caused significant financial and operational damage to numerous organizations and governments. Some of the most affected entities include:
- Maersk: The Danish shipping giant experienced a complete shutdown of its computer systems, leading to a halt in operations at port terminals and ships standing stagnant at sea. The company estimated the attack cost them around $300 million.
- Mondelez: The food company suffered disruptions to its email systems, file access, and logistics, resulting in weeks of downtime. Mondelez filed an insurance claim for damages, which was denied on the basis that the attack was an act of war.
- Merck: The pharmaceutical giant faced significant disruptions, with estimated losses of around $300 million.
- FedEx: The logistics company, particularly its European subsidiary TNT Express, was severely impacted, with estimated losses of around $300 million.
- Reckitt Benckiser: The consumer goods company also faced substantial disruptions and estimated losses of around $200 million.
Global Spread
Although Ukraine was the primary target, the malware quickly spread to over 60 countries, affecting thousands of organizations. The attack’s rapid propagation and destructive nature made it one of the most significant cyberattacks in history, causing an estimated $10 billion in total damages.
Attribution and International Response
Attribution to Russian State Actors
The NotPetya attack was attributed to a group of Russian hackers known as the Sandworm team, recognized as a unit of the Russian intelligence service GRU. This attribution was based on the use of specific coding techniques and the group’s history of targeting Ukrainian infrastructure. In 2015, the Sandworm team was suspected of causing a power outage in Ukraine by hacking into the IT networks of regional power companies.
International Collaboration
In February 2018, the United States, the United Kingdom, Denmark, Lithuania, Estonia, Canada, and Australia issued coordinated statements attributing NotPetya to the Russian government. This international collaboration was crucial in identifying the group responsible and sending a strong message against state-sponsored cyberattacks. The affected states shared information to quickly identify the culprits and coordinate a joint response.
Legal and Insurance Implications
Insurance Claims and Legal Battles
The NotPetya attack raised significant legal and insurance issues. Mondelez, one of the most affected companies, filed an insurance claim for damages, which was denied by Zurich Insurance Group on the grounds that the attack was an act of war. The ensuing lawsuit between Mondelez and Zurich over whether NotPetya was sufficiently “warlike” to trigger the exception in Mondelez’s policy has far-reaching implications for both buyers and sellers of cyber insurance policies.
Policy and Regulatory Responses
The NotPetya attack highlighted the need for clearer definitions of cyber warfare and cyberterrorism in insurance policies. Policymakers in several states and countries have taken an active interest in cyber insurance, but they have done little to resolve the persistent uncertainty over what types of cyberattacks fall under insurance policy war exclusions. The decision in the Mondelez case is crucial for both insurers and their customers, as it will help clarify the extent to which existing government insurance backstops for terrorism might apply to cyberattacks like NotPetya.
Conclusion
The NotPetya attack of 2017 is a landmark event in the history of cyberwarfare, demonstrating the destructive potential of state-sponsored cyberattacks and the far-reaching consequences for both targeted and collateral victims. The attack’s technical sophistication, rapid propagation, and significant financial and operational damage have made it a critical case study for understanding the evolving landscape of cyber threats and the need for robust cybersecurity measures and international cooperation.
Summary Table
| Aspect | Details |
|---|---|
| Initial Infection | Compromised M.E.Doc update, exploited EternalBlue vulnerability |
| Propagation | Used Mimikatz for credential theft, PsExec and WMI for lateral movement |
| Malware Behavior | Overwrote MBR and MFT, displayed ransom note, but data recovery impossible |
| Primary Target | Ukraine, but spread globally |
| Notable Victims | Maersk, Mondelez, Merck, FedEx, Reckitt Benckiser |
| Financial Impact | Estimated $10 billion in total damages |
| Attribution | Sandworm team (GRU), Russian state actors |
| International Response | Coordinated statements by US, UK, Denmark, Lithuania, Estonia, Canada, and Australia |
| Legal Implications | Mondelez vs. Zurich Insurance Group lawsuit over act of war exclusion |
| Policy Implications | Need for clearer definitions of cyber warfare and cyberterrorism in insurance policies |
This comprehensive analysis provides a detailed understanding of the NotPetya attack, its technical and operational aspects, and its broader implications for cybersecurity and international law.
Called “The Most Destructive Hack used…”
References and links:
- Krebs, B. (2017). “WannaCry’s Bigger, Meaner Cousin: NotPetya.” Krebs on Security.
- Baker, P. (2020). “NotPetya: The $10 billion cyberattack that almost no one talks about.” The Washington Post.
- Symantec. (2017). “Fileless Malware: A Detailed Look at the NotPetya Attack.” Symantec Security Response.
- Joint Communiqué by the United States, the United Kingdom, Denmark, Lithuania, Estonia, Canada, and Australia. (2018). “Attributing the NotPetya Attack to Russia.”
- Wired. (2018). “Russia’s NotPetya Attack Was an Act of Cyberwar, Says US.”
- Reuters. (2019). “Mondelez sues Zurich over $100 million NotPetya cyber insurance claim.”
- Symantec. (2018). “The NotPetya Attack: A Detailed Analysis.” Symantec Security Response.
- The New York Times. (2018). “Russia Is Accused of NotPetya Cyberattack That Cost $10 Billion.”
- The Guardian. (2018). “NotPetya cyberattack was Russian act of war, US says.”
- McAfee. (2017). “NotPetya: A Closer Look at the Destructive Malware.” McAfee Labs.
- Forbes. (2017). “How The NotPetya Cyber Attack Unfolded And The Lessons We Can Learn From It.”
These references provide a comprehensive overview of the NotPetya attack, its technical details, impact, and the international response.
Discover more from Identropy
Subscribe to get the latest posts sent to your email.
Identropy 