You are currently viewing Story of Cyberattack: Petya

Story of Cyberattack: Petya

  • Post author:
  • Reading time:8 mins read

The Petya cyberattack, also known as NotPetya, was one of the most devastating cyberattacks in recent history. First discovered in June 2017, it caused widespread damage across the globe, affecting major enterprises and governments. Initially believed to be a ransomware attack, it was later determined to be a wiper malware designed not to extort victims for ransom but to destroy data irreparably.

What Was Petya?

Petya, a malware, was disguised as ransomware. Ransomware typically locks files and demands payment for their release. However, Petya went beyond simply encrypting data. It took control of entire systems by encrypting the Master Boot Record (MBR), making the system unbootable. Petya’s payload was designed to overwrite critical data, rendering recovery from backups difficult, if not impossible.

While the malware demanded a Bitcoin ransom payment for the decryption key, Petya’s nature suggested that its real aim was data destruction rather than financial gain.

How Did Petya Spread?

  1. Compromised Ukrainian Software Update: The attack’s origins are traced back to a Ukrainian tax software called MeDoc. The attackers compromised an update in the software, which was widely used by businesses in Ukraine. This malicious update contained the Petya malware, which, once installed on a system, began spreading across networks.
  2. Exploitation of the EternalBlue Vulnerability: Similar to the WannaCry ransomware attack, Petya exploited the EternalBlue vulnerability in Microsoft Windows. This vulnerability, leaked by the Shadow Brokers hacking group, had been patched by Microsoft months earlier, but many organizations failed to apply the patch in time. The malware used this flaw to move laterally across networks, infecting other machines within the same network. This technique enabled Petya to spread rapidly, much like WannaCry.
  3. Credential Harvesting and Lateral Movement: Once inside a system, Petya used various techniques to move through networks. It utilized the PsExec tool, a legitimate system administration utility, to remotely execute commands on other machines. It also employed techniques like credential harvesting to gain access to other systems, further accelerating its spread.

The Timeline of the Petya Attack

The timeline of the Petya attack is one of rapid escalation, beginning with the compromised update and continuing into a global crisis.

  • June 27, 2017 – Initial Discovery: The first signs of the Petya attack appeared on June 27, 2017. Ukrainian businesses were the first to report issues, particularly those using the MeDoc tax software. Companies experienced sudden crashes, with systems displaying a ransom note demanding $300 in Bitcoin for the decryption key. Soon after, similar reports came from other countries, including the United States, Germany, and the United Kingdom, indicating that the attack had spread far beyond its initial target.
  • June 27-28, 2017 – Spread to Major Corporations: Within hours, the attack spread globally. Major corporations, including the shipping giant Maersk, the pharmaceutical company Merck, and the logistics company FedEx, were impacted. Maersk, for instance, was forced to shut down operations at multiple ports, leading to millions in losses. Merck experienced widespread disruption in its manufacturing and research operations. The Petya attack hit FedEx’s TNT Express subsidiary hard, causing severe delays in package deliveries.
  • June 28, 2017 – Identification as NotPetya: Security researchers quickly identified the attack as NotPetya, a variation of the original Petya malware. Unlike typical ransomware attacks, Petya did not give users a chance to recover their data by paying the ransom. In fact, security experts found that paying the ransom did not lead to data decryption, suggesting that the attackers specifically designed the malware to destroy data beyond recovery.
  • June 29, 2017—Global Impact: As more organizations and governments confirmed their impact, the scale of the attack became apparent. It became clear that the attack was not just a random event but a targeted assault on critical infrastructure. Due to the highly sophisticated nature of the attack, experts suspected that the attackers had state backing.
  • July 2017—Attribution and Analysis: In the aftermath of the attack, cybersecurity experts began analyzing the malware’s behavior. They found several clues pointing to Russian state-sponsored hackers, mainly due to the attack’s targeting of Ukraine and its similarities with other Russian-backed attacks.

How Petya Was Defeated

Discovering a “kill switch” in the malware’s code significantly reduced the attack’s spread. A security researcher named Adrian Lamo found that Petya attempted to connect to a hard-coded domain. The researcher effectively stopped the malware in its tracks by registering this domain. However, by then, Petya had already caused significant damage.

In addition, organizations that had properly patched their systems and deployed security measures were able to avoid full infection. Those who had not updated their software were the most vulnerable.

The Aftermath

The Petya attack had wide-reaching consequences. Several major companies, including Maersk, Merck, and FedEx, reported severe losses. Maersk, for instance, had to shut down its operations at ports around the world, which caused extensive delays and financial losses in the tens of millions of dollars. FedEx’s TNT Express business faced substantial disruptions as well. Additionally, the Petya attack severely impacted critical services in Ukraine, disrupting government institutions and financial services.

In terms of geopolitics, the Petya attack underscored the vulnerability of global infrastructure to cyberattacks, particularly in countries involved in ongoing geopolitical conflicts. While Petya did not explicitly demand ransom, its targets indicated it was more about sending a message or causing disruption.

Lessons Learned

  1. The Importance of Timely Patching: Petya’s use of the EternalBlue vulnerability reinforced the need for organizations to apply security patches in a timely manner. Microsoft had released a patch for EternalBlue months before the attack, but many organizations had not yet updated their systems.
  2. The Risks of Supply Chain Attacks: The Petya attack exposed the dangers of supply chain attacks by demonstrating how malware can infiltrate systems through trusted third-party software, as evidenced by the compromised MeDoc update.
  3. The Reality of Cyber Warfare: The sophistication and targeting of the Petya attack raised concerns about the growing role of cyber warfare in geopolitical conflicts. It demonstrated that nation-states were increasingly willing to use cyberattacks as a tool of disruption and sabotage.

Conclusion

The Petya cyberattack serves as a stark reminder of the potential destruction that cyberattacks can cause. What initially seemed like a run-of-the-mill ransomware incident escalated into a global crisis, disrupting major companies and infrastructure. While the attack’s exact motivations remain unclear, it is a chilling example of the risks posed by state-sponsored cyberattacks and the need for organizations to adopt stronger cybersecurity practices to defend against such threats. The lessons learned from Petya actively shape modern cybersecurity practices, emphasizing the importance of vigilance in today’s increasingly digital and interconnected world.