Bleep.
All around Ukraine, thousands of screens suddenly went blank on the morning of June 27, 2017. It couldn't have come at a worse time for a country in turmoil. Just a few hours before, the head of the Chief Intelligence Directorate of Ukraine, Maksim Shapoval, was assassinated in a car bombing in Kyiv, a day before Constitution Day, a moment meant to commemorate a country that was in a difficult position due to an intensive war.
The state-owned energy company, Ukrenergo, was the first to be hit at 5 a.m. Then the virus, which initially appeared to be Petya, a notorious encrypting malware, began to spread. Within hours, the Kyiv Metro, Boryspil Airport, and the National Bank of Ukraine went out. It was a digital blitzkrieg. As it spread, more companies were impacted, including the French company Saint-Gobain, the British communications company WPP, and the American food company Mondelez.
After a few minutes, though, something odd happened to the computers. The systems rebooted and showed a check disk (chkdsk) screen, stating that this was just a normal process and that the computer was automatically repairing the primary file partition. That, of course, was a brazen lie. As the computer rebooted a second time after completing the "repair", the Master File Table (MFT) was being fully encrypted, destroying the file system and rendering it impossible to boot into the operating system.
That was when the masquerade finally fell. On an ominous black screen with red text, an apparent ransomware attack was the true motive. The ransom note stated that all the user's files were encrypted and that the only way to recover them was by paying $300 worth of Bitcoin, a popular cryptocurrency.
The Reality: A Wiper, Not Ransomware
"There's still a lot to wait for before I feel good about attribution," said military IT expert Jonathan Nichols the day after the attack according to BBC, "but I'm fairly confident the combination of crappy ransomware with government mandated software suggests that the purpose wasn't financial."
Indeed, as Nichols stated, it wasn't. Very quickly after the attack, the malware was dubbed as Not_Petya by cybersecurity company Kaspersky. Unlike its predecessor, Not_Petya was just a diversion, as it had an entirely different attack vector. Hackers hijacked the server and pushed a new update. Utilizing forged digital signatures, which allowed the malware to pass as a legitimate update by antivirus software, all companies using MeDoc received the update secretly hiding Not_Petya.
Once installed, the computer initiated a system reboot while NTFS partitions were being encrypted and the MFT overwritten. While a user scrambles to provide the payment, the malware scans the network for vulnerable SMB service, which handles network communication and file sharing. Once the services are identified, it spreads the malware through the network using EternalBlue and EternalRomance.
The Devastating Impact
The most important discovery came later: Not_Petya was actually a wiper because it was encrypting data it had no intention of ever decrypting. More proof came out that unlike Petya there was no way actually to pay the amount and get the drive back. First off, the email address that victims were told to send the Bitcoin to was shut down by the email provider, Posteo, so there was no actual way of contact. Worse still, the malware also did not store the randomly generated installation ID which was crucial for the decryption key's recovery and was impossible without it.
The impact of all these intricate details combined together made the malware's effect financially devastating. An assessment from the United States government stated that the total damages cost $10 billion, with multinational companies that were targeted reportedly having nine-figure costs to repair like FedEx or Maersk. However, the malware didn't just inflict devastating costs, it also changed how the businesses affected operated.
State-Sponsored Warfare
Later on, the CIA attributed the attack to Russian military operations against Ukraine since the Russian annexation of Crimea as part of a "digital warfare" doctrine. The hackers were specifically part of the military spy service GTsST. To date, the Kremlin still denies that Russia was behind the attack, pointing to the fact that Russian companies like oil company Rosneft and gas company Gazprom were also hit.
Looking now through the lens of the future, Not_Petya was perhaps one of the most fascinating pieces of malware ever because of its implications, especially in a world rocked by a direct Russian invasion of Ukraine. It begs the question: what truly can one nation do when it is hit in rapid succession by "warlike" cyber actions? Not_Petya was, in the grand scheme of things, just another wider cyberwar that blurred the lines between the physical domain of war and cyberattacks. It demonstrates a particular concern with cybersecurity: no country is immune from a cyberwar. The battlefield of war that has existed since the dawn of time is no longer just on the field — it is everywhere and can happen at any time.
