NotPetya — a devastating cyber hack…
This is the real life story of what some say is the biggest cyber hack ever conducted. It is the story of NotPetya.
I was first made aware of this tale through a fascinating podcast series called Darknet Diaries. It introduces you to the hidden world of cyber espionage and the dark web. Of the dark web more another time but with my bounded cyber knowledge this is the story as I understand it.
Russia and the Ukraine have been engaged in physical warfare for many years but back in June of 2017, this war went online. Russia put together a hack that included a Worm; Ransomware modified on an earlier version called Petya; a password stealing tool (Mimikatz) and a piece of software that can bypass security on a computer (Eternal Blue). This combination hack taking just minutes, managed not only to devastate the Ukraine but many global companies causing billions of dollars in damage.
Some definitions. A Worm is is a virus that replicates and spreads in a network. Ransomware is software that takes control of your computer and makes a demand (such as a payment of money) in order for the computer to be released. A patch is a technology fix which prevents something happening.
So imagine that if a hacker can access a computer system that is connected to other computers (a network) they could then utilise a Worm to spread Ransomware which will lock down the computers it infects. But how do you enter a computer’s system in the first place? To truly appreciate the audacity of this hack, we need to understand the other pieces of software used in NotPetya called Mimikatz and Eternal Blue.
Mimikatz steals passwords. When it is launched onto a computer, not only does it steal the username and password of the current user of a computer, but it can ’see’ the username and passwords of every other person who has used that computer since any re-boot. The beauty of this software is if it gets onto a shared computer (a server for example). Then it can collect the details of other users across the network and via a Worm can spread to connected computers even if those systems have been patched with security — as the computer perceives this as a legitimate method of access.
But what if this combination hack comes across a computer with no other user details? This would cause a dead end; preventing the worm from spreading. But this is where Eternal Blue shines. Eternal Blue allows a computer to run code on another vulnerable computer anywhere in the world. It allows a hacker to get onto a computer by bypassing the need for any user details. So where you couldn’t get into a system using Mimikatz, Eternal Blue would do the job for you. Although at the time of NotPetya Microsoft had created a patch for Eternal Blue, we all can relate from our own bashful lack of urgency in carrying out IT security updates — it had not been universally implemented. Key to the success of the hack.
According to Darknet, this is how NotPetya worked. If the Worm could get onto a computer then it would run Mimikatz to collect all the usernames and passwords that had used that computer. It would take those details and log onto neighbouring computers collecting further user details and so forth. If it couldn’t pass around like that and the computer was unpatched, Eternal Blue would be launched to break in, collect the user details and carry on. As the virus spread, the Ransomware would be launched rebooting and encrypting the computer, making it in-operable. The idea was to infect as many computers in Ukraine and bring them down.
So let’s go to the very beginning. The first step was for the group was to find a way in onto a single computer in Ukraine. Unfortunately this we know little about other than the hackers some how managed to install their combo hack onto the servers of a family run accounting business installed on the 3rd floor of an unlikely building in a dingy nondescript part of Kiev. But here’s the oh no moment — anyone who does business in the Ukraine or files taxes there uses the software of this family firm.
It spread like wildfire. Within minutes across Ukraine, bank networks were shut down. People couldn’t use ATMs, the transport system, credit cards, the hospitals were paralysed. But it didn’t stop there as a virus knows no borders. International companies who had worked in or worked with companies in the Ukraine even if in only on one computer were also hit. Fedex, Maersk, Merck, Saint Gobain. Reckitt Benkisser and many other multi nationals to name a few.
Maersk is one of the world’s largest shipping container companies supplying the world goods we use everyday. Just one computer in their network got infected but this was enough for their whole network to collapse. For days they could not tell what container ships were in the ports they used; what was in the containers or manage their tens of thousands of trucks meant to be collecting and depositing goods. This is how loss of control over your IT network today can cause physical damage. Maersk eventually recovered but not without weeks and weeks of work to re-build systems and at a cost of $300m. Fedex says remedial costs were c$400m, Merck put down lost sales and related expenses at c$670m. A White House assessment put the global cost to NonPetya down to c$10bn and some say that it still hasn’t been completely wiped from all the world’s systems.
War between countries has become increasingly virtual with real world consequences as the ability to deluge a system and cause chaos has ramped up. NonPetya reminds us that this is not a trivial matter.
