Cyberattack: Was it really ransomware, or an attack on Ukraine — or something yet to come?

APTFilter CERT-LatestNews Malware Security News SocialEngineering ThreatsActivists ThreatsCybercrime ThreatsEconomic ThreatsStrategic

A day after the latest cyberattack crippled computers internationally, starting in Ukraine, expert opinions vary widely over who was behind it and what the real goal was.

On Tuesday morning in Kyiv, Ukraine, a sudden blast brought traffic to a halt near the city’s main railway station. When the dust settled, a mangled Mercedes Benz sat smoking in the street. Dead inside the car was a colonel who worked with the country’s special operations forces.

As Ukrainian officials and news media began to process the grisly execution, the country was overwhelmed by a massive cyberattack. The hackers behind it brought down a range of infrastructure and companies throughout Ukraine.

Banks across the country, as well as the power grid, the postal service, government ministry offices, media organizations, cell providers and even Kyiv’s main airport began reporting they were victims of the hack. It was so sudden, and spread so fast, that Ukrainians across the country were left in shock.


An employee sits next to a payment terminal out of order at a branch of Ukraine’s state-owned bank Oschadbank after Ukrainian institutions were hit by a wave of cyberattacks earlier Tuesday in Kyiv. (Valentyn Ogirenko/Reuters)

Images relaying the damage began to flood social media. A shopper at a supermarket posted a picture showing every single cashier’s computer issuing a ransom demand. Shortly thereafter, Deputy Prime Minister Pavlo Rozenko posted a picture showing the same ransom demand on his own computer.

While there was no evidence of any connection between the car-bombing and the cyberattack, accusations of a large-scale, Russian-led campaign began to surface. The country’s intelligence service, the SBU, almost immediately attributed the cyberattack to the Kremlin.

Robert M. Lee, the founder and chief executive of the industrial cybersecurity company Dragos, Inc., however, tells CBC News that the statement was wrong.

A world-renowned expert in the cybersecurity of critical infrastructure, Lee said he understands why Ukrainian officials would be quick to blame Russia. Attacks against Ukraine’s power grid in 2015 and 2016 were widely attributed to Russia by cybersecurity experts.


Interior Ministry security force members stand guard outside a branch of Russian bank Sberbank which was attacked during a protest against Russia in Kyiv Feb. 20, 2016. (Gleb Garanich/Reuters)

“Ukraine is understandably hyper-sensitive to the conflict, and there’s many there that rightfully feel no one else is taking the attacks against Ukraine seriously,” said Lee.

The early analysis seemed to indicate that the hack was a relatively straightforward ransomware campaign that started in Ukraine and spread globally.

It affected a range of companies as diverse as British advertising agency WPP, Danish shipping giant Maersk, multinationals like food giant Mondelez, and the Russian energy giant Rosneft.

Through the evening, as more details came to light, other cybersecurity experts began to see the attack as something else.

Most importantly, they stopped believing that money was the motive of the attack, because the mechanism designed to actually bring in the money was so poorly designed.


Ukrainian President Petro Poroshenko mourns as he stands near the coffin containing the body of journalist Pavel Sheremet, who was killed by a car bomb, during a memorial service in Kyiv July 22, 2016. (Valentyn Ogirenko/Reuters)

On Tuesday evening, CBC News spoke to Nicholas Weaver, a network security researcher at the International Computer Science Institute in Berkeley, Calif., a leading independent, non-profit research centre.

He  has dealt with “worms,” programs that autonomously spread from computer to computer, as a primary research focus for the last 16 years.

“It’s unlikely the attack was a well-engineered worm coupled to a horribly bad ransomware module done by crooks who won’t gain anything from their crime,” says Weaver.

He believes it was more likely a sophisticated attack disguised as ransomware, and while the attack didn’t necessarily have to be carried out at the nation-state level, he believes it couldn’t have been any regular hacker.


Experts investigate the damaged car of Oleksandr Haraberyush in Mariupol, Ukraine, on March 31. The vehicle had exploded killing Haraberyush, an operative of the Security Service of Ukraine (SBU). (Sergey Vaganov/EPA)

Mike Chobanyan, an expert in digital currency and the founder of the Kuna Bitcoin Agency also told CBC News that he didn’t think the idea was to collect bitcoins.

“They weren’t using TOR websites which would automatically generate Bitcoin addresses and automatically generate the code for the computers,” says Chobanyan.

“So it was sending Bitcoins to one specific address, and then how do you distinguish one from another?”

Chobanyan said ransomware attacks as far back as 2014 used better methods of capturing Bitcoin than this attack did, and if money was the goal, they would have improved on three-year-old attacks.

Ukraine Killing

Forensic experts carry the body of Denis Voronenkov, after he was shot dead in Kyiv on March 23. Ukrainian police said Voronenkov was shot dead by an unidentified gunman at the entrance of an upscale hotel in the Ukrainian capital. (Sergei Chuzavkov/Associated Press)

Information Systems Security Partners (ISSP), a Kyiv-based IT research firm that has been on the forefront of investigating cyberattacks against Ukraine, sent CBC News an early analysis Tuesday indicating that the formulation of the attack began between March and April of 2017.

ISSP said Tuesday’s perpetrators would have surely known that the vast majority of their victims didn’t have the technical skills to pay the relatively paltry ransom of $300 in Bitcoin. And a full day after the attack started and spread globally, the bitcoin wallet attributed to the attack only contained $9,746 US.

So if money wasn’t the purpose, what were the genuine motives and goals of the attackers?

Back doors and sleeping agents

ISSP’s Oleg Derevianko said the most important thing to determine now is what this stage of the attack, which began in March, may lead to next.

“Cybersecurity specialists call it APT — Advanced Persistent Threat,” said  Derevianko.

“Hackers intrude and stay within the network for long enough to install additional back doors and sleeping agents in order to come back once again after a new active phase and launch the final attack stage, aiming to either down the system, or exfiltrate data, or to combine those goals.”

As the day progressed, others suspected something about the attack didn’t add up.

Robert Pritchard, who spent seven years working in cybersecurity for the United Kingdom’s Ministry of Defence, told CBC News that although it’s too early to make any definitive conclusions, the attack was an outlier.

Why Ukraine?

“The attack was very heavily targeted at Ukraine, and a lot of effort was put into making sure it was effective,” he said. “But the culprits either overlooked, or didn’t care to write, their ransoms in the language of the country they were focusing on attacking ….

“So if their goal was to make money, why did they focus so heavily on Ukraine?”

Beau Woods, of the cyber statecraft initiative at the Atlantic Council in Washington, D.C., told CBC News that as details came out, he was less convinced it was ransomware and more convinced that it was something disguised as ransomware.

“The question is, if ransomware wasn’t the motive, then what was?”