Last week’s Petya cyber-attack was designed to look like ransomware that leaked out of America’s National Security Agency, but experts say the truth is much more complicated, and terrifying. Claire Connelly & Ian Osborne explore the brave-new-world in which an online attack could lead to military intervention.
Far from ‘ransomware’, last week’s Petya ‘attack’ was actually a state-based destructive and targeted attack designed to cripple Ukraine’s economy, security experts say. Now it is out in the wild, the code has the potential to bring entire economies to a screeching halt.
The Department of Homeland Security is blaming North Korea. Ukraine’s SBU have claimed the involvement of the Russian Federation. But all may not be as it seems.
The attacks contained remnants of an NSA exploit known as Eternal Blue, which was used in a large number of reported cases, including one malware-based attack that predated the global WannaCry ransomware incident earlier this year. However, security professionals have suggested that the code could be a red herring, planted by state-based operatives ‘hiding in plain site’.
Security experts have dubbed the recent attacks ‘NotPetya’, due to its sophistication and deliberately misleading nature.
Welcome to the brave new world order. More on this below.
How it works
Bryce Boland, Asia Pacific CTO at forensic security company FireEye told Renegade Inc Ukrainian government agencies, businesses and foreign companies with interests in the region had their accounting and taxation records harmed or impaired by a malicious update commonly used in financial software.
“The attackers implanted malicious malware on software distributions which were then downloaded to people’s computers and executed as they opened and ran the software updates for the program,” he said.
“The attacks compromised a small but crucial part of the supply chain in the economy of the Ukraine,” Boland said.
“The impact is significant – not only are thousands of businesses and many government agencies impacted, but critical data used for tax accounting may have been entirely destroyed. This will have an impact on Ukraine’s ability to collect tax revenue.”
Though security officials have not yet been able to attribute what country was responsible, the attacks coincided with the car-bomb assassination of Colonel Maksim Shapoval, head of Ukraine’s Military Intelligence Special Forces, and Ukraine’s Constitution Day which celebrates its independence from the Soviet Union.
“It is a point of fact that Russia and Ukraine are at war,” Boland said. “Ukraine has been suffering many cyber attacks from Russian attackers in recent years, which continue today. We have seen and investigated a number of failed attacks by Russian operatives against the Ukraine, but it is still too early to give attribution who is behind this attack.
I’m sure an intelligent audience will draw their own conclusions.”
Not the NSA
It was initially reported that ‘NotPetya’ used an exploit developed by the NSA known as Eternal Blue, also used in a large number of attacks in recent years, including one malware-attack which predated the global WannaCry ransomware incident which leaked into the public health system of the UK’s National Health System, along with public and government networks in Denmark, Germany, Australia and France.
However, security professionals say this is a deliberate red-herring and a distraction planted by state-based-operatives ‘hiding in plain site’.
“Reporters might ask questions like ‘what is NSA’s involvement in this?’,” said Boland. “That takes people down a path or narrative that isn’t about who conducted these attacks, but instead focuses on the culpability of US intelligence officials.
“That is beneficial if you are a state actor,” he said. “It moves the narrative from an attack against a nation state to ‘is there NSA involvement?’. From a PR perspective, that is a very smart thing to do. You’d have to look at who would benefit from that.”
The multi-nationals affected have to some extent been collateral damage in these attacks.
Worse, many cyber insurance policies do not cover businesses in the event of an act of war, meaning that even if companies were somehow able to restore their accounting information in order to accurately satisfy their tax burden, thousands of companies could potentially be excluded from claiming the cost against their insurance policies.
“My question to everyone is if this happened to one of your software vendors, would you also get wiped out?,” says Boland.
From a cyber war to an actual war
Another area to be concerned about is how NATO will respond to this attack against the Ukraine.
An attack against one NATO member is considered to be an attack against all member nations. NATO is therefore obliged to respond accordingly.
NATO Secretary General, Jens Stoltenberg attributed the incident to a ‘state-actor’ and told the Telegraph on Thursday the attack could trigger Article 5 of the North Atlantic Treaty in the same way as a conventional military assault, and promised to help Ukraine bolster its cyber defences.
On Tuesday British defence secretary, Michael Fallon said the UK would consider retaliating with military means against a cyber attack by another state, evidence that a cyber assault could still lead to a physical military conflict.
“I certainly do not want to see any kind of regional conflicts exploding in the former Soviet Union, but there has to be some kind of response to these sorts of threats, otherwise the attackers behind it will feel emboldened to continue their attacks and get away with it,” said Boland.
“This creates a major threat for all of us”.
Fight Club not that far off anymore
At the conclusion of the critically acclaimed film, Fight Club, Tyler Durden’s army of anarchists use some kind of cyber-shenanigans to reset America’s private debt back to zero.
Though this was obviously a (fictional) and much more altruistic attack than NotPetya, the possibility of bringing a first world economy to its knees with a malicious piece of code is no longer a far-off possibility.
“Our dependence on technology in some countries is significant, and if certain countries are impacted that make it difficult to recover, it could be really big problem,” said Boland.
Cyber-attacks are increasingly becoming the ‘recyclable silver-bullet’ of cyber-warfare. Once that code is out there in the wild, hackers, state-actors and / or security professionals with less than reputable intentions can manipulate and subvert the code over-and-over-again for different purposes, aimed at different actors and potential targets.
What would happen if the supply chain information for your local supermarket was wiped out? Food shortages would occur almost instantly. What if the wrong people got access to the electricity grid? Or the water supply? Or transport networks? All of a sudden key infrastructure could be held hostage by foreign state-actors, or simply hackers with something to prove.
Earlier this week it was discovered that code from the WannaCry attacks leaked into Victoria’s traffic system. There could have been severe fatalities had some cyber-criminal decided to maliciously interfere with Victoria’s traffic lights.
“The risks continue to increase along with our dependence on technology,” says Boland. “The level of capability needs to step up across the board. Plenty of government agencies are far too exposed, this is a global problem.”
Renegade Inc interviewed more than 30 security professionals for this story across government, public and private sectors who overwhelmingly concluded that bureaucracy, mismanagement – and in some cases, austerity – is significantly affecting the ability of countries, companies and businesses to protect themselves against serious online threats.
The privatisation of education in which software vendors are paying for degrees and certifications that encourage programmers to work in software silos is cited as part of the problem.
A security professional with more than 20 years working for the Australian Government and the Department of Defence revealed that billions of dollars is being spent on mismanaged and wasted projects that never get off the ground.
“The government spends billions of dollar on shelf-ware,” he said, describing the term for software or hardware that is bought but never used.
Renegade Inc spoke to employees of Australia’s National Broadband Network on the condition of anonymity who revealed IT departments had knowingly bought up “roomfulls” of hardware and software that would never be used for the sake of maintaining quarterly budget increases.
“This is bad behaviour,” said the security professional. “It is a situation of the tail wagging the dog. The data is the critical asset, not the systems it runs on.”
We are reliably informed Australia is not the only country to suffer these ‘crises of mediocrity’.
Richard Murphy, Professor of Practice in International Political Economy at the City University of London says Britain’s policy of “deliberate austerity” left the NHS deprived of sufficient funding to ensure that people were safe during the WannaCry ransomware attack which crippled Britain’s public health system.
“If appropriate funding for the NHS had been made available, and it had not been forced to operate at and beyond financial limits, this attack need not have had the impact it has,” he wrote for Tax Research UK.
A security professional known only as ‘Lisa’ told Renegade Inc the solutions are not as simple as ‘patch your stuff’.
“When dealing with industries such as manufacturing or medical, many of these organisations have specialised equipment that when originally scoped ran on platforms such as Windows 98 and Windows 2000” she said. “When they are ready to go live, after two-to-three years, it is not as simple as upgrading the operating system as the application relies on the operating system. Over time many of these platforms are no longer supported and companies are fearful that if they patch, it could take out a critical operation.”
These concerns were confirmed by a Queensland public health official who revealed that key pieces of medical infrastructure such as CAT scan and MRI machines are deliberately configured not to update by default, as it was discovered that patching caused the hospital computer systems which controlled the machines to malfunction.
“Now imagine if that happened on a ventilator in a hospital ICU,” he said. “Even with the array of redundancy systems in place, there is still an unnecessary risk there which puts hospitals in a Catch-22 situation.”
Stephen Wilson, VP & Principal Analyst at Constellation Research has confirmed that IT departments across the globe are as vulnerable to austerity as other parts of the public sector.
“Cyber security is not funded at anywhere near the level that makes sense for the criticality of digital systems for life today,” he told Renegade Inc. “Think about the value of digital assets today. Citizen and healthcare databases at population scale are worth billions of dollars, and yet governments are penny pinching.
“We know cybercrime is industrialised. Yet we are sleep-walking into disaster with slipshod security around e-health records, taxation, national infrastructure, really every area of government and private sectors in which sensitive and personally identifying information is stored.”
A security professional who wished to remain anonymous told Renegade Inc that it is now essential to “treat every day as if it is Y2K”.
“We might have some of the best professionals in the world working in intelligence and defence but what about the Department of Education? Or the DMV? Or the people that handle our tax records. You can bet your bottom dollar the security of these departments are not given the same priority or posses the same quality of candidates,” he said.
Boland says these problems will not simply be fixed by having companies install better firewalls.
“It requires governments to have a real plan of action, clear accountability and investment to make us all resilient against malicious human adversaries.”