In the summer of 2017, a software update for a popular Ukrainian accounting software pushed malware onto systems of companies doing business in Ukraine. The attack stopped life in Ukraine and crippled the Western logistics supply chain, hitting shipping giant Maersk, postal company FedEx, and the Port of Rotterdam. That was just the beginning effect of a chain reaction, masterminded by the Kremlin.
Pundits eagerly pointed out stolen code from the National Security Agency (NSA) within the malware to claim authority on the attack, effectively binding NSA’s exploit and the attack together whenever either comes up. The lingering story that stuck in the public imagination: the Russian cyberattack was executed with help of cyberweapons that the NSA lost control of.
The narrative that took shape showed a devastating failure of the US government, and turned public attention away from who was accountable for the attack. As a researcher who has extensively studied cyber operations and influence effects, I was gripped by how NotPetya appeared engineered to deflect attention away from who authored the attacks.
NotPetya ushered in a new era of implant-enabled warfare where public opinion is as much the target as traditional IT systems. This wasn’t “hack and leak” or “inauthentic amplification” on social media. This is information operations by using malware to create a narrative, and shows what the future of conflict looks like: one where malware not only disrupts our business operations but also targets our minds and influences media coverage. NotPetya created significant downtime and a whopping $10 billion in damages, but its most subversive impact was how it deceived the public.
There are two defining milestones in the history of cyberwar via implant. One of them showcased clandestine tradecraft. The other utilized publicly-visible cross-domain effects. Both would have a profound influence on future cyber operations.
The first was Stuxnet, which targeted Iran's nuclear centrifuges and physically damaged them. It combined the cyber domain with the realm of kinetic destruction. A clandestine operation which made for a riveting tale that’s pretty easy to comprehend. The goal of Stuxnet was to sabotage Iran’s nuclear program while evading discovery for as long as possible.
On the other hand, NotPetya’s multi-domain nature doesn’t let itself get defined quite as easily.
It’s widely accepted that NotPetya was orchestrated by Russia’s military intelligence agency, the GRU. The GRU employs top tier offensive cyber operations and psychological operations teams. It has also been deemed responsible for poisoning Skripal, posing as little green men in Ukraine, and many other plausible deniability scenarios. This doctrine of plausible deniability doesn’t differentiate between the cyber and physical realm. It applies to all domains, at all times. It’s part of the agency's Modus Operandi.
Full analysis of the different aspects of NotPetya requires expertise in offensive cyber operations, Reverse Engineering, PSYOPS, information operations, media theory, geopolitics, warfare, Russia, Ukraine, and military intelligence. Limiting ourselves to a cyber perspective will produce an inherently myopic analysis.
So what was NotPetya? In simple technical terms, we can say that NotPetya was a piece of destructive/wiper malware posing as ransomware. It was pushed to companies using the update mechanism of a very popular piece of Ukrainian accounting software. To spread across the network it leveraged both Pass-The-Hash techniques and Eternalblue, an NSA exploit first made public by the Shadow Brokers. The end result of the attack was that most of the companies ended up with their entire Windows infrastructure wiped out. Industrial Control Systems that relied on Windows machines for input were grounded to a halt.
It is impossible to conclusively prove motive and intent without deep access inside a target organization. In GRU’s case that would involve getting access to a person or system with the NotPetya mission plan. Unless a rival intelligence agency is willing to burn sources and methods, our public conversation about NotPetya’s desired effects is therefore limited to conjecture. We must get more comfortable operating in this gray zone, whether we like it or not. Otherwise our public analysis will be inherently astigmatic, which leads to bad decision making.
NotPetya is a puzzle comprised of plausible deniability.
Here are some of the dominant narratives that emerged in different communities:
- NotPetya was a worm that spun out of control; it was only supposed to target Ukraine. Prior attacks were exclusively targeting Ukraine, therefore this campaign was intended to only hit Ukraine too.
- NSA’s EternalBlue exploit played a significant role in NotPetya, with subsequent focus on NSA’s failing to either protect their toolkit or NSA’s failing to notify Microsoft after finding the vulnerability. Wormable exploits capture the imagination.
- NotPetya didn’t mean to target critical infrastructure, because there was no Industrial Control System-specific payload.
Note that there’s no actual proof for these narratives. They are backed by sentiment and exploit our confirmation biases.
These are the theories that got no or little airtime:
- The attackers are top tier offensive operators, Ukraine experts, and had access to the accounting software infrastructure for a longer period of time. They would have been aware that non-Ukrainian entities were targets. There is also no evidence to suggest that the attackers were trying to limit their attack to Ukrainian entities.
- Most of the successful lateral movement comes from the Pass-The-Hash tools inside NotPetya. The offensive cyber operations part of NotPetya would not have been materially less successful without EternalBlue. Even two years ago Red teams, offensive teams simulating adversaries, would choose PTH tools over EternalBlue for lateral movement during their pen tests. Could there be an ulterior motive at play for including EternalBlue, knowing that the threat actor is extremely adept at influencing public perception?
What were the effects of the narratives?
- NotPetya was primarily framed as yet another attack against Ukraine by Russia. It was not seen as a show of force or a form of economic sanctions against those countries and companies doing business in Ukraine. This also quashed the public chatter about a possible NATO article five situation, where an attack against one NATO member is seen as an attack against all.
- Primed by the Shadow Brokers (and WannaCry), most of the mainstream technical press focused on the compromise at NSA and the effects thereof. Instead of responding to our adversary, the US government was on its back foot defending its mission. It also created negative sentiment against GRU’s arch nemesis, NSA. It simply doesn’t get better for the GRU. We would presume this to be absolute mission success for them.
NotPetya’s destructiveness affected not just valid military targets but also civilian entities. During peacetime. In numerous countries. This behavior goes against decades of international norms. Destover exclusively targeted Sony. Shamoon exclusively targeted Aramco. Stuxnet spread wide and far, but its destructive payload was confined to specific Iranian targets.
Let’s ask ourselves the following questions:
- What would the news coverage have been without the ransomware cover for action? Imagine NotPetya had behaved like a pure wiper such as Shamoon or Destover. It would have materially changed coverage and (political) response from the get-go.
- What would the secondary coverage and response have been if NotPetya had not included the EternalBlue exploit? Again, EB wasn’t really all that useful for NotPetya’s spread. Instead of having to defend its mission, the US government and its allies could have responded to the adversary with greater resolve and backing, or at least more quickly.
I can’t provide conclusive evidence about GRU’s motive and intent, but NotPetya’s mechanisms of action and makeup really shaped the narratives and outcomes in Russia’s favor. It’s highly unlikely the makeup and mechanisms of the NotPetya campaign were happenstance coming from one of the world’s leading information operations teams.
In effect, a situation has been created where a foreign adversary can include EternalBlue exploit code in malware and be almost guaranteed anti-USG/NSA sentiment. This is the binary embodiment of offensive cyber operations as influence activity, or the further weaponization of information.
There’s no doubt in my mind that others have taken note of the NotPetya operation. This is akin to Stuxnet in 2010 and the influence operations surrounding the 2016 elections. We must realize that this isn’t cyber, but societal warfare. We should analyze and report on it as such.
Roel Schouwenberg is the intelligence and research director at Celsus.IO. The Celsus Advisory Group and its team of cross-domain, multidisciplinary experts offer intelligence-driven strategic consulting services.
Subscribe to our new cybersecurity podcast, CYBER.