Ransomware , Technology

Police in Ukraine Blame Russia for NotPetya

Vendor of Hacked Accounting Software Could Face Criminal Charges
Police in Ukraine Blame Russia for NotPetya
Danish shipping giant Maersk is still recovering systems following the NotPetya outbreak. (Photo: Maersk)

Firms in Ukraine and beyond are still struggling to bring all systems back online following last week's devastating outbreak of "NotPetya" malware. Authorities in Ukraine, where the outbreak began, have yet to fully detail related damage. But government officials have been quick to blame Russia.

See Also: How to Scale Your Vendor Risk Management Program

Moscow, however, has dismissed such allegations as "unfounded," saying it was not involved in the attacks.

Independent security researchers, say it's too early to attribute the outbreak of malware - referred to by many as NotPetya - to any group or nation state.

But investigators are continuing to unravel how the attack was launched.

Cyber police in Ukraine, as well as security firms including Cisco Talos, ESET, Microsoft and Symantec, have said the attacks were facilitated by what one researcher describes as a "cunning backdoor" added to widely used accounting software. Called M.E. Doc, the accountancy and bookkeeping software is used by about 80 percent of firms in Ukraine.

Slovakian security firm ESET says infected Ukrainian firms then spread the malware to branches and business partners in other countries, via VPN connections.

Potential Criminal Charges

Police say the father-daughter team who run Kiev-based Intellect Service, which develops M.E. Doc, could face criminal charges if they knew about attempts to backdoor their code, but did nothing about it.

"We have issues with the company's leadership, because they knew there was a virus in their software but didn't do anything ... if this is confirmed, we will bring charges," Col. Serhiy Demedyuk, the head of Ukraine's national cyber police, told Reuters on Monday.

But Olesya Linnik, managing partner at Intellect Service, dismissed charges that their software - used by 400,000 clients - or update servers had been used to spread the virus.

"What has been established in these days, when no one slept and only worked? We studied and analyzed our product for signs of hacking - it is not infected with a virus and everything is fine, it is safe," she told Reuters. "The update package, which was sent out long before the virus was spread, we checked it 100 times and everything is fine."

Linnik added that her firm was voluntarily working with investigators. "The cyber police are currently bogged down in the investigation, we gave them the logs of all our servers and there are no traces that our servers spread this virus," she said.

But Anton Cherepanov, a malware researcher at ESET, says in a blog post that three M.E. Doc software updates - dated April 14, May 15 and June 22 - contained "a very stealthy and cunning backdoor that was injected by attackers into one of M.E. Doc's legitimate modules."

Via this backdoor, he says, attackers were able to push attack code onto users' PCs, and potentially also to exfiltrate data.

Ukraine Blames Russian Intelligence

Debate continues to rage amongst many security experts over whether NotPetya was designed to be a smokescreen for disk-wiping attacks - since it can leave systems unbootable and data unrecoverable - or if attackers simply fumbled their crypto-locking code (see Latest Ransomware Wave Never Intended to Make Money).

The Security Service of Ukraine, or SBU, says that some code used in the NotPetya malware was previously seen used by the group that launched a December 2016 attack against Ukraine's financial sector, transport sector and power-generating facilities, using attack tools named TeleBots or BlackEnergy. The SBU, in a statement released Saturday, attributes the use of these attack tools to Russia's Special Communications Service - the country's equivalent to the U.S. National Security Agency.

While the timing could be coincidence, the attack was launched June 27, on the eve of Ukraine's Constitution Day, commemorating the signing of the country's constitution in 1996, following the country's independence from Russia in 1991.

The SBU also believes the malware was designed to look like ransomware, but instead was a smokescreen for a "large-scale attack, oriented against Ukraine," that was designed to "destroy data and sow disorder in state and private institutions" as well as stoke mass panic.

NATO Suspects 'Nation State'

NATO, meanwhile, has said the attack "can most likely be attributed to a state actor." NATO Secretary General Jens Stoltenberg reaffirmed Wednesday that if a cyberattack triggered damage commensurate with an armed attack, it could trigger NATO Article 5, meaning military response would be one option for responding.

"If the operation could be linked to an ongoing international armed conflict, then law of armed conflict would apply, at least to the extent that injury or physical damage was caused by it, and with respect to possible direct participation in hostilities by civilian hackers," said Tomáš Minárik, a researcher at the law branch of NATO's Cyber Defense Center of Excellence, in a press release. "But so far there are reports of neither."

NotPetya Cleanup Continues

Many affected firms are still struggling to get all affected systems restored.

Authorities in Ukraine have yet to detail the damage NotPetya caused to the country, but it does not appear to be minimal. Employees at some of the country's banks did not report to work for days, and at Kiev's Boryspil Airport, about one-third of back-office PCs remained offline, Associated Press reports.

July 2 update issued by DLA Piper.

Global law firm DLA Piper said Sunday that it has restored its email systems following the attack, but that it is still working to restore other systems "in a secure manner." The law firm says its related investigation remains ongoing, but that "we have seen no evidence that client data was taken or that there was a breach of confidentiality of that data."

Danish shipping giant Maersk said in a Monday update via Twitter that it's "getting closer to full speed" again. It added in an online statement that it had restored its online shipping portal and ability to generate import manifests, but not yet export manifests. "Our vessels remain sailing and all terminals - except one - are now functioning; importing and releasing export cargo," it said.

Russian oil producer Rosneft, which was also infected with NotPetya, couldn't be immediately respond for comment on the status of its incident response efforts.


About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the Executive Editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, amongst other publications. He lives in Scotland.




Around the Network