From Plausible to Probable: Cyberattack Targets Ukrainian Financial Sector Using Stolen NSA Tools

By Luke Tenery, Pascale C. Siegel

August 24, 2017

This article is the second part of a collaborative series by Ankura’s cybersecurity and geopolitical teams. It probes the fallout of the Vault 7 cybertheft of National Security Agency hacking tools and considers how cybercrime continues to evolve, how the risk to critical infrastructure has shifted from one that is plausible to one that is now probable, and how the compromise of the NSA hacking tools contributed to June’s Ukraine cyberattack. The first article, entitled “From Possible to Plausible: Petya as Portent, WannaCry as Warning, NotPetya as Gathering Storm,” analyzed the evolution of the cyberthreat landscape during the last six months, including the increasingly geopolitical dimension of cyberattacks, and the escalated risk posed to businesses and critical infrastructure.

THE VIRUS QUICKLY SPREAD TO RUSSIA, THE REST OF EUROPE, THE UNITED STATES, AND ASIA, AFFECTING OVER 60 COUNTRIES.

On June 27, cyber actors infiltrated Ukrainian banking, industrial, transport, and medical systems with the NotPetya virus, a derivative of the Russian-developed Petya malware first discovered in 2016. The virus quickly spread to Russia, the rest of Europe, the United States, and Asia, affecting over 60 countries. An estimated 60 percent of the attack affected Ukraine, 30 percent affected Russia, and the remaining 10 percent affected systems in other countries.

The virus was transmitted by three methods. The initial infection occurred via tax preparation software updates from accounting software firm M.E. Doc. Many Ukrainian state agencies and a significant percentage of the financial industry, including state-owned Oschadbank, used this software in daily operations. The virus also spread via email phishing software using programs Eternal Blue and Eternal Romance, both NSA hacking tools leaked in the March Vault 7 dump. Eternal Blue had previously been used in the May WannaCry attack. While some computers reached a WannaCry paywall requesting $300 in bitcoin, other computers were wiped clean. As of July 7, more than 40 victims are reported to have paid the ransom, with total direct payments of over $10,000. However, the disruption of normal business operations and the loss of data, proved much costlier than ransom payments. Many companies are still recovering from the attack.

Ukrainian authorities who investigated the incursion using cyber tools provided by NATO have formally blamed Russia for the attack. For the past three years, Ukraine and Russia have been deadlocked in overt and covert conflict over Russia’s annexation of Crimea and subsequent backing of separatist forces in eastern Ukraine. While bleed over from the NotPetya cyberattack caused significant collateral damage to systems outside Ukraine, the primary target was the Ukrainian government’s ability to process financial data. In this regard, the attack is properly viewed as the latest event in the hybrid war Russia has been waging against the Ukraine. There is wide consensus among governmental officials, cybersecurity experts, and academics that in recent years, as Ukraine has edged closer to the West through economic association, visa-free travel with the EU, and a request to NATO for lethal weapons, Russia has responded by escalating its cyberattacks against Ukraine.

THE OUTBREAK OCCURRED ON THE EVENING BEFORE UKRAINE’S CONSTITUTION DAY, WHICH COMMEMORATES THE FORMATION OF A NEW UKRAINIAN GOVERNMENT FOLLOWING THE DISSOLUTION OF THE SOVIET UNION.

The timing of the NotPetya incident also suggests a Russian connection. The outbreak occurred on the evening before Ukraine’s Constitution Day, which commemorates the formation of a new Ukrainian government following the dissolution of the Soviet Union. As the intrusion appeared to be a retaliatory measure in response to sanctions against the Russian tech industry, Ukrainian leaders believe the perpetrators’ motivation was more than symbolic. On April 28, almost two months prior to the NotPetya outbreak, Ukraine imposed sanctions on several Russian tech firms, including 1C, the largest provider of accounting software in Russia and formerly the market leader in Ukraine. Thus, many Ukrainian financial firms switched software, making them vulnerable to the stolen NSA infiltration tools Eternal Blue and Eternal Romance. The Ukrainian government and several cybersecurity firms point to evidence suggesting the massive ransom scheme was merely a ploy to hide the hackers’ true motive: to disrupt Ukrainian institutions and destabilize the country.

Due to the relative sophistication of the incursion, we conclude with relatively high confidence that the attack was state-sponsored. Nation-state actors capable of carrying out such an attack include China, North Korea, Russia, and possibly Iran. While we believe all evidence points to the incident most likely being the work of a Russian state-sponsored hacking group, other actors cannot be ruled out.

Kiev-based Information Systems Security Partners found evidence that hackers infiltrated the networks of at least some Ukrainian targets two to three months before they triggered the ransomware that paralyzed those organizations. Per analysis by ISSP, intruders installed the destructive elements in the infrastructure after infiltrating and studying the affected organizations. This suggests an insider within the company facilitated the attacks. Multiple anti-virus companies warned accounting software producer M.E. Doc of vulnerabilities before the attack, but the company did not heed the expert advice and now faces criminal charges in Ukraine.

IT APPEARS THE VIRUS MAY HAVE BEEN DESIGNED AS A WIPER, OR A DESTRUCTIVE ATTACK THAT ERASES DATA, PRETENDING TO BE RANSOMWARE.

The attackers’ techniques reportedly match the “handwriting” of previous attacks attributed to Russian-linked hacking groups in 2015 and 2016. In many cases, the ransomware’s encryption was irreversible, even if a victim paid the ransom. Each encryption key was randomly generated and not linked to any computer, leaving no way for the attackers to decrypt victim machines. This indicates the attackers were not trying to extort payments, but rather sought to cause disruption. It appears the virus may have been designed as a wiper, or a destructive attack that erases data, pretending to be ransomware. A group of Russian-affiliated hackers called Sandworm is known to have perpetrated attacks in which boot records are wiped and irreversible ransomware is planted. This modus operandi, in addition to Sandworm’s years of prior involvement in Ukrainian hacking, suggests Sandworm could be the culprit. However, it is also possible that the attackers’ goal was to carry out surveillance and collect information from targeted organizations, primarily in Ukraine, in preparation of future attacks. Notably, the hack affected Russia’s state-owned oil company Rosneft and steelmaker Evraz. However, while the attack brought serious consequences for other corporations (like shipping giant Maersk), neither Rosneft nor Evraz suffered similar fallout. One possible explanation is that the hackers intervened to stop the attack from propagating further.

Following this discovery on July 5, the authors of the NotPetya virus announced they will provide the encryption key used in the attack in exchange for $250,000 in the cryptocurrency bitcoin. The reasons for this are unclear, but one explanation is an improvised attempt to reinsert a financial motive as a cover-up.

THE NSA ATTRIBUTED THE WANNACRY ATTACK TO A NORTH KOREA-BASED HACKING GROUP.

If financial gain in fact motivated the attacks, North Korea remains the likeliest suspect. As mentioned above, the authors of the NotPetya virus used alleged NSA hacking tool Eternal Blue, which was itself leaked by the Russian-affiliated group Shadow Brokers, to power their malware, as did the authors of the WannaCry virus in May. The NSA attributed the WannaCry attack to a North Korea-based hacking group. It is possible that NotPetya could simply be the latest iteration of a tweaked WannaCry, with North Korea using Ukraine as a testing ground for its cyberweapons. As attacks against Ukraine are typically attributed to Russia, this would help conceal the hackers’ identity. It is also possible that the authors of NotPetya committed amateur mistakes, inadvertently turning a ransomware attempt into a destructive attack.

The appropriation of leaked NSA hacking tools reintroduces the question of whether the NSA is capable of safeguarding offensive cyberweapons and underscores the need for strengthening the US public-private partnership in cyberspace. The NSA leaks, as well as the recent CIA hacking leak, proved a gold mine for cybercriminals and state-sponsored actors alike.

Given the treasure trove of tools the NSA and CIA may have unwittingly provided, financially and politically motivated attacks like NotPetya and WannaCry are expected to continue in the immediate future. As cybercriminals become more sophisticated, businesses are increasingly vulnerable. As an example, Shadow Brokers is now touting a leak subscription service, which includes early access to new leaked malware. The recent global malware attacks have raised questions about possible response options of affected states and the international community, prompting high-level discussions among NATO members regarding increased cybersecurity cooperation.

Regardless of the perpetrator of the NotPetya attack, the NSA’s unwitting contribution could trigger anti-American sentiment abroad, with social and cultural ramifications. The attack also highlights the potentially significant economic loss to businesses, primarily due to the disruption of normal operating activity. Higher cyber insurance premiums are likely, along with cybersecurity industry growth.

On a positive note, the global nature of the threat and increasing degree of destructiveness could prompt efforts to establish international norms for operating in cyberspace. China, one of the leading state actors, recently indicated it would be amenable to such a move. What role the US would play is unclear at this point, as the Trump administration continues to sketch out a cohesive national cybersecurity strategy.