Quick overview of the 2017 NotPetya cyber attack
This post is the third in a series of blog posts written by Roy Seaman, our Percy Hobart Fellowship 2021 fellow from the Royal Marines. We’re calling the series “Posting Roy”
In 2017 as part of a global malware incident the NotPetya cyber attack inflicted misery on companies all over the world.
NotPetya is the far more dangerously aggressive and transmissible version of its predecessor Petya ransomware. Petya seemed like a straightforward malware that infects a targeted Windows only computer, encrypts some data on it and sends a message to the user giving instructions on how they can get their data back for a payment in bitcoin. It did however differ from your standard ransomware seen before. Standard malware seeks out specific files and encrypts them. Petya however, installed its own boot loader overwriting the master boot record, encrypting the master file table, which is the file system that provides the “road map” for the hard drive. To simplify your files are there and unencrypted but the filesystem that tells your computer their locationcannot be accessed. The key Achilles heel to Petya is it required the permission of the user to authorise it. Those warnings that pop-up on your screen saying not to open unfamiliar files as they may be infected are there for a reason!
Fast forward to June 2017 and Petya 2.0 or now known as NotPetya was identified. Its focus appeared to be Ukraine; however, it was found elsewhere in Europe and globally. I cannot help but muse that, Europe and elsewhere were just collateral of the attack that was focused on the Ukraine.
NotPetya differed from Petya in several ways:
NotPetya did not require a victim to spread it. It had multiple avenues of infection such as EternalBlue and EternalRomance, which exploit the Windows Server Message Block (SMB) protocol. It also used tools to find network administration credentials within an infected machines memory before remotely accessing other computers on its local network using tools within Windows itself.
NotPetya encrypts everything, not just the master boot record.
The nasty side of NotPetya is that it was not designed to be ransomware it was designed to destroy with all the hallmarks of ransomware. It made the same demands for ransom but essentially it was just false hope as NotPetya encrypted and damaged the data beyond repair.
What is interesting is NotPetya only affected computers running older versions of Windows. Which makes the case for businesses to ensure they are updating their system as a matter of process, rather than seeing it as an expense that can be put off.
One organisation that was affected by NotPetya, and has brought another issue surrounding how organisations mitigate the risks and effects of cybercriminal activity, is Mondelez.
Mondelez is a huge multinational confectionery company that includes well-known brands such as Cadburys, Oreo, Belvita, Tuc, Toblerone etc - all the guilty pleasures we enjoy. It has operations in 80 countries, employing around 80000 employees. The virus infected 1700 servers and 24000 laptops in Mondelez alone that is a lot of unproductive incapacitated staff. Mondelez did have an insurance policy with Zurich and submitted a claim for $100 million despite losses being much higher. Zurich has viewed NotPetya as an act of war and base the attack as a state-on-state, refusing to pay out resulting in the dispute in court which can only add to the cost of the attack. No doubt every organisation with an insurance policy covering cyber attacks is now reviewing their policy and seeking assurances - are the terms of their insurance policy clear? How will insurance policies be structured going forward?
Other organisations that were affected the shipping and logistics company Maersk sustaining approximately $400 million in losses. Merck a pharmaceutical company $870 million and Saint Gobain a construction organisation $384 million as some of the more prominent victims. While this highlights some of the big corporations who are more than capable of resourcing the necessary cyber risk mitigation strategies and processes it highlights my closing point. Cybercriminal activity is a threat to everyone, it is not limited to one industry. If we want to all work in this big integrated system with information and data on demand, then businesses need to ensure they are servicing the biproducts of that. Cybersecurity is a collaborative effort, it will only continue to grow and become a main pillar within the worlds future business environment. The basics that everyone takes for granted, the annoying cybersecurity department that some businesses have but only because it is the “done thing” but no one can tell you what it does exactly, are in the past.
Profile by Awen Collective helps to ensure that industrial organisations are meeting the best practice in terms of cyber security policies and procedures. Dot by Awen Collective helps industrial organisations to know what devices they have on their Operational Technology (OT) networks, and provides actionable intelligence on how to reduce the potential cyber vulnerabilities.
Collaboration across EU helps cyber-security of society
Awen Collective has produced a Software-as-a-Service product called Profile which makes it much quicker and easier for Critical National Infrastructure, their partners and their regulators to perform audits to ensure regulatory compliance to the NIS Directive. We are also actively working on other projects for some of our continental partners.
The NIS Directive is a European Union directive that has, as of 2018, been implemented in law in all 28 member states of the EU (including the UK). This regulation provides a much needed prompt to European critical infrastructure providers to improve the cyber-security policies, processes and technologies within their whole organisation – from board member to engineer, from IT to Operational Technologies (OT).
However, it is not the only good thing that the European Union has done or is doing in regard to cyber-security in general and industrial cyber-security in specific. We don’t even need to mention GDPR. This blog post outlines some of the other great initiatives.
Europe-wide Cyber-Security Initiatives & Programmes
European Union Agency for Network and Information Security (ENISA) – is a great organisation (or agency) which contributes to the network & information systems security across Europe, with a particular focus on ensuring the security and safety of European society, commerce and government. It is a very holistic organisation, very much worth checking out if you have not heard of them. ENISA has done so well over the years, that the EU decided to enhance the powers of ENISA through the Cybersecurity Act of December 2018.
The Computer Emergency Response Teams for the EU institutions, agencies and bodies (CERT-EU). It provides threat intelligence and assistance in the prevention, detection, mitigation and response to cyber-attacks by providing a cyber-security information exchange. It works closely with other CERTs in the public & private sectors across Europe.
The European Cyber Crime Centre (EC3) is a division of the EU agency for law enforcement cooperation (EUROPOL). EC3 assists with the law enforcement response to cyber-crime across the EU, with particular focus on strategy, forensics and operations/intelligence. EC3 publishes the Internet Organised Crime Threat Assessment report, which highlights some interesting information.
The European Cybersecurity Industrial, Technology and Research Competence Centre (ECITRCC) is a policy-driven centre focused on the European digital market. It will contribute to the deployment of the latest cyber-security technology, provide financial & technical support to cyber-security start-ups & SMEs, it will support industrial R&D, push high-levels of cyber-security standards and facilitate cooperation between civil & defence spheres in regard to cyber-security. It is too early to say how effective the Centre will be, but it seems to be very promising.
There is also a significant number of funded R&D initiatives across Europe through the Horizon 2020 framework, which require collaboration from different organisations in at least a few member states and typically support a mixture of SMEs, universities, larger organisations and the public sector across Europe.
Plus much more…
All of the above combine to help everyone to live and work in Europe safely and securely.
What are Awen doing?
Awen have built software to provide solutions to an international problem. One product, Profile, addresses the NIS Directive directly and is naturally a European-focused product. Contact us today to organise a demonstration of Profile. Email: hello@awencollective.com