Analysts at several cybersecurity firms have confirmed that a cyberattack which struck Europe on Tuesday is using a powerful and dangerous cyberweapon, created by the National Security Agency, that was leaked in April.
The cyberattack, dubbed “Petya,” bears the hallmarks of last month’s WannaCry ransomware attack, which swept across 150 countries and crippled transportation and major hospitals. Petya is taking advantage of an NSA zero-day exploit known as EternalBlue in order to spread.
Zero-day exploits are tools which take advantage of software vulnerabilities which hackers can use to get into computer programs and data. EternalBlue exploits a loophole in Microsoft Windows and was part of a slew of NSA cyberweapons that were posted online by hacker group Shadow Brokers in April.
That leak, security expert Matthew Hickey told Ars Technica, was “by far the most powerful cache of exploits ever released.”
“It effectively puts cyber weapons in the hands of anyone who downloads it,” Hickey added.
Greg Martin, CEO of cybersecurity firm JASK, described EternalBlue as “a universal skeleton key.”
“For many, many years, while it was a secret, the NSA could use [EternalBlue] to unlock any door of any computer network in the world,” Martin said. “It was the ultimate cyberweapon for espionage.”
A variation of EternalBlue was first used in May’s WannaCry attack. The assault was stalled and then shut down when Marcus Hutchins, a 22-year-old security researcher in England, found and activated a “kill switch” in the code. Since then, Politico reported that hackers have been tweaking WannaCry’s code in order to get around a potential kill switch and carry out a more widespread global attack. Petya’s code was finalized on June 18, according to Kaspersky Labs, a Russian cybersecurity firm.
Petya is more sophisticated than WannaCry, said Alex Hamerstone, a cybersecurity expert at TrustedSec. “It appears to use a lot of the same elements [as WannaCry], but it’s spreading and replicating itself in a more sophisticated way,” he said. “And this attack is not just encrypting files, it’s encrypting at a deeper level than that.”
Indeed, cybersecurity firm FireEye told The Financial Times that rather than encrypting files, Petya holds the entire system hostage until a ransom has been paid.
The ransomware hit several European countries and corporations, including Ukraine’s central bank and its capital’s main airport, Russian state-owned oil giant Rosneft, British advertising company WPP, pharmaceutical giant Merck, and shipping company A.P. Moller-Maersk, which said every branch of its business was affected.
Though it’s unclear how far-reaching Petya’s consequences will be, “they’ll likely be quite large,” Hamerstone said. “They’re taking down systems and shutting down companies.”
The malware demands a ransom paid in Bitcoin before victims can recover their data. Nine victims have paid a ransom so far, according to Politico.
Following the attack, Merck reportedly instructed all employees to turn off their work computers indefinitely and is in the midst of a company-wide shutdown.
Martin said the implications of Tuesday’s attack are “really scary, because these sophisticated cyberweapons are out in the open. Any cyber criminal, terrorist organization, or foreign government can take these tools, weaponize them, and run their own attack.”
‘Ukraine was targeted’
So far, experts have found that Ukraine was the hardest hit , followed by Russia.
The Ukrainian central bank said Tuesday that an “unknown virus” was the culprit of attacks leveled against it. “As a result of these cyberattacks these banks are having difficulties with client services and carrying out banking operations,” the bank said in a statement.
The country’s official Twitter account also put out a statement via Twitter. “Some of our gov agencies, private firms were hit by a virus. No need to panic, we’re putting utmost efforts to tackle the issue,” the tweet read.
Petya also forced Ukraine’s Chernobyl plant to switch to manual radiation monitoring of its site.
Martin said that although Ukraine was the hardest hit, “it is not any more vulnerable than the US or Canada or the UK.”
Instead, he said he believes “Ukraine was targeted,” because of its tumultuous political climate, “by bad actors who are using it as a cyberweapon testing ground over the past couple of years.”
In 2015, a massive cyberattack leveled against the country’s power grid cut electricity to almost 250,000 Ukrainians. Cybersecurity experts linked the attack to IP addresses associated with Russia. Since then, Wired Magazine’s Andy Greenberg reported last week, Ukraine has been victim to a growing crisis in which an increasing number of Ukrainian corporations and government agencies have been hit by cyberattacks in a “rapid, remorseless succession.”
Ukraine is now host to what may turn into a full-blown cyberwar, Greenberg reported. Two separate attacks on the country’s power grid were part of a “digital blitzkrieg” waged against it for the last three years.
“You can’t really find a space in Ukraine where there hasn’t been an attack,” Kenneth Geers, a NATO ambassador focusing on cybersecurity, told Wired.
It’s unclear where Tuesday’s cyberattack originated from.
“In cases like this and with the WannaCry attack, we can see that bad actors, whoever they may be, can continually up the ante and sophistication of how damaging these attacks are,” Martin said.
He added that “this is about unfettered access and being able to infect any machine in the world.”
May’s WannaCry attack was linked back to the North Korean government, “and although North Korea is well-organized, they’ve been shown to have lots of mistakes in attacks they’ve waged in the past,” Martin said.
If Petya is found to have originated from Russian-linked hackers, however, “we can expect that this attack will be much more far-reaching and sophisticated.”