Six years have passed since the infamous NotPetya cyber attack sent shockwaves through the cybersecurity landscape. Initially disguised as ransomware, NotPetya quickly revealed its true destructive nature, spreading damage to businesses and governments around the world, resulting in billions of dollars in losses. Six years later, the impact of the NotPetya attack is still being felt, and the lessons learned from this incident continue to shape the way we approach cybersecurity. Tom Gol, CTO for research at Armis provides his take on what happened and lessons learned.
Background
NotPetya first emerged in June 2017, when it quickly spread across various countries, primarily targeting organizations in Ukraine. However, it soon became apparent that this cyber threat was not limited to a specific region, as it rapidly infected systems worldwide.
The destructive malware was initially disguised as a ransomware attack, with victims being presented with a ransom note demanding a payment in Bitcoin to unlock their encrypted files. However, it soon became evident that the true intention of NotPetya was not financial gain, but rather widespread disruption and destruction.
Technical Analysis
NotPetya employed a combination of advanced techniques and exploited known vulnerabilities to propagate and wreak havoc. At its core, the attack relied on the EternalBlue exploit (CVE-2017-0144) that leveraged a vulnerability in the SMB protocol of Windows systems. This exploit, originally developed by the National Security Agency (NSA) and later leaked by a hacking group called Shadow Brokers, allowed for remote code execution without user interaction.
Upon infecting a system, NotPetya would employ a multi-stage infection process. It would exploit the EternalBlue vulnerability to gain initial access and then employ credential theft techniques using tools like Mimikatz to escalate privileges and move laterally within the network. The malware would also leverage legitimate administrative tools, including PsExec, to propagate across interconnected systems.
NotPetya’s primary objective was to disrupt operations and destroy data rather than generate financial gain. Once inside a network, the malware would overwrite the master boot record (MBR) and the master file table (MFT), rendering the affected systems inoperable. It then displayed a ransom note, demanding a Bitcoin payment for the decryption key. However, the attackers’ email address had been shut down, making it impossible for victims to communicate and recover their data.
It is worth noting that the security patch for EternalBlue was released several months before the attack occurred. Organisations that had diligently applied the available security updates and patched their systems would have significantly reduced their vulnerability to this specific attack.
Tallying the Impact
The impact of NotPetya was felt around the world, with businesses and governments in more than 60 countries affected. Global entities faced significant financial losses, with shipping giant Maersk counting a staggering $300 million in damages. Even critical infrastructure, exemplified by the Chernobyl nuclear power plant, experienced disruptions, emphasizing the far-reaching consequences of this cyber assault.
One of the challenges highlighted by the NotPetya attack is the difficulty in distinguishing cyber attacks as acts of war. In a related case, Zurich Insurance Group refused to pay a $100 million claim for damages caused by the NotPetya attack, arguing that the ransomware was an Act of War and therefore not covered by the policy. However, a judge rejected this argument, stating that the clause protecting Zurich from paying out for losses caused by hostile or warlike actions did not apply to the NotPetya cyber attack.
Six Years Later – Still Eternal
An analysis performed using Armis Collective Asset Intelligence indicates that the number of computers still vulnerable to EternalBlue today is extremely low. This is not surprising given the fact that it is a Windows vulnerability and the very public nature of NotPetya. However, around 74% of organizations today still have at least one vulnerable device in their network. With exploit attempts still going (Armis detects between a few hundreds to a few thousands exploit attempts of EternalBlue every day) patching this vulnerability continues to be relevant.
Transformative Effect on Cyberwarfare
NotPetya marked a significant turning point in the realm of cyberwarfare, reshaping the understanding of destructive cyber attacks. It blurred the lines between traditional ransomware and state-sponsored cyber operations, as its primary goal was not financial gain but the disruption of critical infrastructure and data destruction. This attack demonstrated the potential for highly destructive malware to cause widespread economic and operational disruptions, posing significant risks to national security and global stability.
Lessons Learned
The legacy of NotPetya offers crucial lessons that resonate with us today. Foremost among them is the significance of effective vulnerability management. NotPetya exploited a known vulnerability, emphasising the importance of promptly applying security patches and conducting regular vulnerability assessments.
Proactive mitigation of known vulnerabilities can significantly reduce the risk of falling victim to similar devastating attacks.
Another critical lesson is the power of asset visibility. Maintaining an up-to-date inventory of networked systems enables organizations to identify potential weak points and take proactive measures to strengthen their defences. By having a clear understanding of their digital ecosystem, organisations can respond swiftly and effectively to emerging threats.
Lastly, network segmentation plays a vital role in containing the impact of cyber attacks. By dividing networks into isolated segments, organizations can limit the lateral movement of malware and prevent the widespread damage associated with attacks like NotPetya.
The NotPetya cyber attack remains a stark reminder of the evolving threats faced in the digital age. Six years on, the impact and lessons learned from this devastating attack continue to resonate. Organisations must invest in robust cybersecurity practices, including asset visibility, vulnerability management, and network segmentation. By adopting a proactive and comprehensive approach to cybersecurity, organisations can fortify their defences and mitigate the risks posed by increasingly sophisticated cyber adversaries.
This piece originally appeared on the Armis blog
