Trending / June 30, 2017

Are Cyber Attackers Targeting the Ukraine?

It seems more and more that the answer is yes.

Over the past few weeks, the Ukraine has been targeted with four known, successive cyber-attacks disguised as ransomware. The first was XData in May. The second was last week’s PSCrypt. The third was this week’s highly reported NotPetya. And now, it appears a fourth attack, which initially looked like a WannaCry variant, was launched on Monday.

Widely credited with discovering this fourth attack, security researcher MalwareHunter has subsequently concluded that this new attack was only designed to look like WannaCry, but is in fact something altogether new – the clearest evidence of this is that the original WannaCry was coded in C, while this clone was coded in .NET.

This fourth attack also appears to have used a similar delivery method as both XData and NotPetya: the update servers of M.E.Doc, a popular accounting software package widely used in the Ukraine. While the company vehemently denies it, Microsoft and Talos, among others, have all pointed to M.E.Doc as the source of the initial NotPetya distribution.

This fourth attack (yet unnamed, perhaps NotWannaCry?) doesn’t initially appear to use any NSA exploits to spread laterally. The only characteristic it seems to share with the original WannaCry is the ransom demand page. This information may change as more security researchers dig into the code and report their findings.

It’s hard to argue at this point that someone – hacktivist, cybercriminal gang, state actor or a surrogate – is not specifically targeting the Ukraine with successive cyber-attacks. Within a few short weeks, four ransomware-cloaked campaigns, all seemingly designed to cause economic damage and not genuinely attempt traditional ransomware extortion, have hit the Ukraine. All attempts have had what appears to be well-written, tested, quality code and at least two, and possibly three, appear to have used the same comprised servers at M.E.Doc to initiate the attack. Though these attacks have affected other countries, the Ukraine seems to have sustained an overwhelming number of infections compared to the rest of the world.

While there is no conclusive evidence that the same group or threat actor is behind all of these attacks, there seems to be enough circumstantial evidence to warrant further investigation.

Cyber-Weapons Testing?

Today, The NATO Cooperative Cyber Defence Centre of Excellence seems to support this theory and is now publicly stating:

NotPetya was probably launched by a state actor or a non-state actor with support or approval from a state. Other options are unlikely. The operation was not too complex, but still complex and expensive enough to have been prepared and executed by unaffiliated hackers for the sake of practice. Cyber criminals are not behind this either, as the method for collecting the ransom was so poorly designed that the ransom would probably not even cover the cost of the operation.

The best way I can categorize these attacks is that they are likely cyber-weapon tests and the Ukraine seems to be the testing ground. In just the last few months, we’ve seen CrashOverride target and take down the Ukrainian power grid followed by four successive, highly focused malware attacks. It’s starting to look like someone out there is building and testing an arsenal of highly sophisticated and potentially devastating cyber-weapons, and simply wrapping them in the guise of ransomware to distract the media from what’s really going on.

What bothers me most about what I’m seeing is not the characteristics or results of the individual attacks, but, if I’m right and someone is in fact building and testing an arsenal of different cyber-weapons, what kind of damage could they collectively do in the event of an all-out cyber war?

Back to top