Quick overview of the 2017 NotPetya cyber attack

unsplash-image-DHYfjAe_eeo.jpg
Headshot Awen.jpg

This post is the third in a series of blog posts written by Roy Seaman, our Percy Hobart Fellowship 2021 fellow from the Royal Marines. We’re calling the series “Posting Roy

In 2017 as part of a global malware incident the NotPetya cyber attack inflicted misery on companies all over the world. 

NotPetya is the far more dangerously aggressive and transmissible version of its predecessor Petya ransomware. Petya seemed like a straightforward malware that infects a targeted Windows only computer, encrypts some data on it and sends a message to the user giving instructions on how they can get their data back for a payment in bitcoin. It did however differ from your standard ransomware seen before. Standard malware seeks out specific files and encrypts them. Petya however, installed its own boot loader overwriting the master boot record, encrypting the master file table, which is the file system that provides the “road map” for the hard drive. To simplify your files are there and unencrypted but the filesystem that tells your computer their locationcannot be accessed. The key Achilles heel to Petya is it required the permission of the user to authorise it. Those warnings that pop-up on your screen saying not to open unfamiliar files as they may be infected are there for a reason! 

Fast forward to June 2017 and Petya 2.0 or now known as NotPetya was identified. Its focus appeared to be Ukraine; however, it was found elsewhere in Europe and globally. I cannot help but muse that, Europe and elsewhere were just collateral of the attack that was focused on the Ukraine. 

NotPetya differed from Petya in several ways: 

  • NotPetya did not require a victim to spread it. It had multiple avenues of infection such as EternalBlue and EternalRomance, which exploit the Windows Server Message Block (SMB) protocol. It also used tools to find network administration credentials within an infected machines memory before remotely accessing other computers on its local network using tools within Windows itself.

  • NotPetya encrypts everything, not just the master boot record.

  • The nasty side of NotPetya is that it was not designed to be ransomware it was designed to destroy with all the hallmarks of ransomware. It made the same demands for ransom but essentially it was just false hope as NotPetya encrypted and damaged the data beyond repair.

What is interesting is NotPetya only affected computers running older versions of Windows. Which makes the case for businesses to ensure they are updating their system as a matter of process, rather than seeing it as an expense that can be put off. 

One organisation that was affected by NotPetya, and has brought another issue surrounding how organisations mitigate the risks and effects of cybercriminal activity, is Mondelez.

Mondelez is a huge multinational confectionery company that includes well-known brands such as Cadburys, Oreo, Belvita, Tuc, Toblerone etc - all the guilty pleasures we enjoy.  It has operations in 80 countries, employing around 80000 employees. The virus infected 1700 servers and 24000 laptops in Mondelez alone that is a lot of unproductive incapacitated staff. Mondelez did have an insurance policy with Zurich and submitted a claim for $100 million despite losses being much higher. Zurich has viewed NotPetya as an act of war and base the attack as a state-on-state, refusing to pay out resulting in the dispute in court which can only add to the cost of the attack.  No doubt every organisation with an insurance policy covering cyber attacks is now reviewing their policy and seeking assurances - are the terms of their insurance policy clear? How will insurance policies be structured going forward? 

Other organisations that were affected the shipping and logistics company Maersk sustaining approximately $400 million in losses. Merck a pharmaceutical company $870 million and Saint Gobain a construction organisation $384 million as some of the more prominent victims. While this highlights some of the big corporations who are more than capable of resourcing the necessary cyber risk mitigation strategies and processes it highlights my closing point.  Cybercriminal activity is a threat to everyone, it is not limited to one industry. If we want to all work in this big integrated system with information and data on demand, then businesses need to ensure they are servicing the biproducts of that. Cybersecurity is a collaborative effort, it will only continue to grow and become a main pillar within the worlds future business environment. The basics that everyone takes for granted, the annoying cybersecurity department that some businesses have but only because it is the “done thing” but no one can tell you what it does exactly, are in the past.

Profile by Awen Collective helps to ensure that industrial organisations are meeting the best practice in terms of cyber security policies and procedures. Dot by Awen Collective helps industrial organisations to know what devices they have on their Operational Technology (OT) networks, and provides actionable intelligence on how to reduce the potential cyber vulnerabilities.