August 14, 2019
Two Years After NotPetya. Cyberattacks Don't Stop for a Moment
Two years ago, Ukraine suffered from NotPetya - a cyberattack that WIRED named 'the most devastating cyberattack in history'. The culmination of that attack on 27 June 2017 wiped about 10 percent of computers in Ukraine. There were no attacks of similar magnitude in the world afterward, and you may be asking yourself: what does this silence mean? Have cyberattacks on Ukraine stopped? Have Ukrainians learned to protect and defend themselves better? What are the attackers doing now?
In 2017, after multiple shreds of evidence of repetitive coordinated cyberattacks on Ukraine, including those presented by ISSP, were carefully studied by Ukrainian and international actors the world finally recognized that Ukraine had become not just a target but also a testing ground for global cyber warfare. Power stations and other critical infrastructure facilities, businesses, governmental institutions - all became targets of cyberattacks that took place in previous years.
The goal of adversaries who acted in Ukraine was to try out the effectiveness of their methods and tools. Moreover, when in 2016 attackers caused a shutdown of a power station, they did it in the middle of the night, since their primary goal was not causing harm but testing their capabilities. Also, the fact that since NotPetya no big culminations of state actor attacks have been detected in Ukraine doesn’t mean adversaries stopped their activities. On the contrary, we should be even more concerned because it may be an indication of ongoing stealthy malicious activities inside target computer infrastructures.
It is crucial to understand that a coordinated and targeted attack lasts 6 to 12 months, and its initial stages of intrusion, reconnaissance, exploring, and infrastructure capturing very often go unnoticed. Victims can witness only the last stages of attacks – infrastructure destruction, data encryption, or demanding ransom. The final steps can be invisible too if adversaries have a goal of just breaching an organization’s perimeter, finding and stealing specific data and leaving unnoticed. Today at ISSP, we keep witnessing how adversaries keep trying and testing new cyberattack technologies, tactics, technique, and procedures while attacking both private and public sector organizations, new breaches happen regularly, and attackers keep capturing infrastructure targets that are of interest for them. Even though after NotPetya, we haven't seen significant crashes, and many assume that there are no attacks, the truth is that malicious activity in cyber never stops even for a moment.
The essence of NotPetya attack remains mostly misunderstood. Everything collapsed, and most people believe that shutting down as many computers and systems as possible was the only adversaries' goal. The truth though is that the events of 27 June 2017 were only the last move, the clean-up stage of a much larger and more sophisticated cyber operation. With NotPetya adversaries deleted the traces of their activities over a long period and tested a massive coordinated cyberattack. The most worrisome thing is not the widely spread computer infrastructures crash on the day of 27 June, but the months-long period before this clean-up. Through the backdoor in the MeDoc software update adversaries got access to thousands of organizations and their IT infrastructures and what exactly they did there, what information they gathered, what tools used and what sleeper agents they left remains mostly unknown. Because NotPetya destroyed the evidence of attackers activities preceding the final phase of the attack it was almost impossible to investigate the attack in a way required to build a full picture and discover all events within that attack.
It is important to note that while Ukraine was attacked through MeDoc software update, an almost identical attack was happening at the same time using CCleaner. This software was installed on millions of computers worldwide, including top state agencies in the USA and other countries. Adversaries penetrated hundreds of thousands of organizations, and only in 11 organizations attack was taken to the next level when hackers deployed the keylogger.
What it means is that the tactics of malicious cyber activities have changed. Adversaries don’t need to attack every individual organization anymore. Instead, they target a software or service provider, install a backdoor, and through software update automatically infect thousands of other organizations that use this software.
We have learned from NotPetya that IT service providers and, in fact, any company within a supply chain can serve as a penetration tool to get access to many organizations. So, one positive consequence of NotPety is that large enterprises and governmental institutions have become more aware of supply chain attacks and more active in using tools and technologies for isolating their suppliers or controlling them better. The same approach (making sure your supplier is not infected and does not radiate a danger for your organization) should be applied to choosing new suppliers and contractors.
NotPetya was a state actor attack, but we need not forget about other groups of adversaries, such as cybercriminals and hacktivists. They also remain active. Malicious activity in Ukrainian cyber domain stays at a very high level and demands well-prepared protection of IT networks and systems.