Last update: happy July 4th, American readers! – For the original article, read below the line-break.

Update 4: Analysis on the backdoor by ESET

ESET posted a thorough and interesting analysis. Couple of takeaways:

1. Intruders were apparently in the network for +/- 3 months (or longer?)
2. Analysis confirms the regular MeDoc software update method as the NotPetya delivery mechanism. In fact, the delivery mechanism works/worked identical to NotPetya’s own spreading method (rundll32.exe, as per the ESET article).
3. The backdoor was specifically designed for the Ukraine, it seems. EDRPOU values have no use outside the Ukraine.

Particularly the inclusion of EDRPOU enumeration by the backdoor implies specifically targeting the Ukraine by the threat actor. This is also completely consistent with the geo-restricted watering hole attack on the Bahmut news site (see earlier).

Considering the MeDoc software is Ukraine-specific already, however, it does raise the question if this backdoor was intended to target specific companies (EDRPOUs are supposedly unique assigned to a company?). Was NotPetya indiscriminately launched against all successfully backdoored company networks (a ‘burn notice‘ for the existing backdoor/exploits/tooling if you will) or were specific companies targeted based on these EDRPOU numbers (also possible based on NotPetya’s attempts to cover its tracks)? If someone knows whether or not Ukrainian companies exist that had the backdoor, but were not attacked with NotPetya, I’d like to know!

Update 3: Attribution speculation

I have some doubts whether this was a Russian operation.

Ukrainian intelligence is now claiming that this was a Russian attack. It is common knowledge and obvious that nation-state attacks at this kind of scale need the approval of the president/prime minister. Exactly because of the potential scale and impact of cyberattacks, this certainly would not be any different in Russia. In other words: I believe Putin would have had to approve NotPetya’s deployment at some point.

Consider that Putin is a (former..?) top-ranking life-time KGB/FSB intelligence officer, would he really approve an attack at this scale and level, with so much collateral damage, all the while leaving (too) obvious pointers back to Russia? The NotPetya design and purpose certainly wasn’t “Amateur Hour”. That said, I can imagine it be an intentional play: “Make the clues too obvious to be believable”, but it could simply be a false-flag operation too: Ukraine recently voted to make NATO membership one of their primary goals, and this could be a move to speed up their application/approval process.

Of course, this is all very much speculation, but it’s certainly food for thought.

Update 2: MeDoc and watering hole confirmed

It has been confirmed that the MeDoc software’s update mechanism was used to deploy NotPetya. As stated, MeDoc is specific to Ukrainian companies (useless to others), because it is needed to exchange tax/accounting information with the Ukrainian government. Also, a Ukrainian news site, Bahmut, was used as a watering hole attack: visitors coming from Ukrainian IP ranges were being actively attacked with the NotPetya malware (through known browser exploits).

Update 1: a high ranking Ukrainian intelligence officer was killed yesterday was killed on the same day as the NotPetya outbreak.

But maybe that was just a coincidence..?

Introduction

Undoubtedly you have heard by now that on June 27th, a massive ransomware attack, dubbed NotPetya / GoldenEye / Nyetya struck several large business throughout the world. In this post, I’d like to make the argument that this was a targeted attack at the Ukraïne, disguised as a ‘regular phishing / ransomware’ attack.

What NotPetya does

The delivery mechanism for NotPetya has been established by several sources now and is believed to be the M.E.Doc updater mechanism. M.E.Doc (www.me-doc.com.ua) is an Ukrainian accountancy company that provides accounting/tax software for interactions with the Ukrainian government. Secondary sources are purported to be phishing e-mails making use of the .HTA (CVE-2017-0199) exploit. NotPetya is otherwise similar (hence the name) to the Petya ransomware. It replaces the Master Boot Record with a fake CHKDSK screen, while in reality the files are being encrypted. At the end, it displays a ransomware notice instructing the user to pay $300 in BitCoin equivalent to a single address.

A targeted attack?

For the following reasons, I believe NotPetya to be a targeted attack at the Ukraine, aimed at causing the largest possible disruption of services and operations throughout the country:

• NotPetya is somewhat unique in its aggressiveness and combination of exploitation techniques: it attempts to leverage PsExec, WMIC, harvested credentials (from memory), ETERNALBLUE (CVE-2017-0143) and ETERNALROMANCE (CVE-2017-0144) attacks to move laterally across the network.
• NotPetya was deliberately spread on June 27th. June 28th is a national holiday in the Ukraine (Constitution Day). This is reminiscent of the WannaCry attack on a Friday, before the weekend, that was attributed to the LAZARUS group.
• NotPetya specifically leveraged the Ukrainian MeDoc company, providing services specifically for the Ukraine, as the initial infection vector.
• Spreading happens specifically on the local subnet, contrary to the WannaCry attack. I would expect ‘regular’ ransomware to attempt to maximize spreading, instead of deliberately targeting only part of a network.
• The inbuilt scheduled ‘shutdown’ of an hour after the infection and aggressive lateral movement, but before the actual encryption, causes most systems in the network to reboot and become unusable at roughly the same time, maximizing the chance of disabling an organization’s operations entirely.
• The unusual and advanced combination of exploit attacks does not align with the ‘amateuristic’ approach to the actual ransomware payment of ‘only’ $300 to a single BitCoin address (which was promptly suspended). This could be construed to mean that the effect of ransomware was not the primary goal.

Conclusion

Undoubtedly there will be a lot of ongoing speculation and analysis, including on attribution. That said, I feel that the behaviour of NotPetya and the current information points to a targeted attack on the Ukraine, with the ‘collateral damage’ world-wide being an intentional attempt at a ‘smoke screen’ by the Threat Actor.

This blog is a personal blog and does not reflect the opinions, standards, etc. of my employer. If you have questions or comments, please feel free to reach out to me personally at penguin <kajigger> dhcp <doohickey> net.