A devastating cyberattack initially targeting Ukraine’s infrastructure spread like wildfire across the globe on Tuesday, and in the space of just a couple of hours, locked down the computer systems and demanded ransoms from hundreds of organizations including shipping giant Maersk, the world’s largest advertising holding company WPP, and even the Chernobyl nuclear reactor.
The attack has been widely reported as a straight-up criminal enterprise spreading ransomware in order to make money, but on that front, it was a dud. Despite infecting thousands of computers, the so-called ransomware has generated just over $10,000 for the hackers, a tiny fraction of the cost of the damage inflicted on the affected companies.
Experts believe the real attack has been camouflaged to deflect attention from a state-sponsored attack on Ukraine, orchestrated by the Kremlin as part of its ongoing destabilization campaign against its neighbor.
Initial reports compared the attack to the recent WannaCry ransomware, saying it was caused by a variant of a piece of ransomware called Petya, which first began circulating in 2016. But new analysis suggests that these reports were inaccurate, and that the malware spread on Wednesday was in fact designed to destroy data on infected systems.
Comae Technologies, which looked closely at how the malware operated, suggests it was designed to look like ransomware, but was in fact a type of malware called a wiper, which destroys all records from the system.
“We believe the ransomware was in fact a lure to control the media narrative, especially after the WannaCry incident, to attract the attention on some mysterious hacker group rather than a national state attacker,” Matt Suiche, founder of Comae Technologies, wrote in a blog post on Wednesday.
While the stated aim of ransomware is to generate income from people willing to hand over money in return for getting their files back, in the case of these attacks, money doesn’t appear to be the driving motivation.
“The data supports the argument that this malware is nation-state driven and is only aimed at disrupting operations rather than monetizing on the ransom,” Amichai Shulman, co-founder at security company Imperva told VICE News.’
Ransomware was a camouflage
After the Petya ransomware infects a machine, it scans the local network and quickly infects all other PCs on the system. It doesn’t, however, propagate outside the local network, which is why it hasn’t spread much wider. This behaviour makes it ideal for targeted attacks rather than widespread campaigns designed to generate huge revenues.
“It is possible that making money was not the primary motive of these attackers,” Eset researcher Robert Lipovsky told VICE News. “The ransomware was more of a camouflage, and [the attackers] were more focused on the sabotage part.”
The email address set up by the attackers to communicate with victims and send the decryption code was quickly shut down by the German provider, meaning that even if victims do pay the ransom, they’ll never get their files back.
There is further evidence that the timing of the cyberattack was set to coincide with events in the real world, with Ukraine celebrating Constitution Day on Wednesday. “The fact that the malware was set to wait five days before triggering on June 27, a day before a Ukrainian public holiday celebrating the ratification of its new constitution in 1996, also tends to lend weight to the proposition that the attack was targeted primarily at victims in the Ukraine,” Rik Ferguson, vice president of security research at Trend Micro, told VICE News.
Russia has been implicated in multiple high-profile attacks on Ukraine in recent years, including two attacks on energy grids that left hundreds of thousands of people in the dark for several hours on both occasions. In December, Ukraine’s president, Petro Poroshenko, reported that there had been 6,500 cyberattacks on 36 Ukrainian targets in just the previous two months.
Adding to the tension in the region on Tuesday, Maksim Shapoval, a colonel in the Ukraine military intelligence, was killed in a car bomb in Kiev. According to the Interior Ministry, Shapoval had recently returned from the conflict zone in eastern Ukraine and that the authorities believe the motive for the “targeted assassination” was his “professional service.”
As is typical in cyberattack attribution, there’s no hard evidence that the Kremlin directed it directly. As Russian President Vladimir Putin has said in the past, attacks may be carried out by “patriotic individuals.”
“There may be criminals that are operating like mercenaries, and that may be confusing some people, but there is no evidence other than profit as a motive so far,” Sean Sullivan, a security advisor at F-Secure, told VICE News.
Source of the attack
On Wednesday Microsoft and Ukrainian police confirmed that primary source of the initial attack was MEDoc, a company that sells financial software and one of only two products approved by the government for companies to file tax returns.
Clients of MEDoc get regular software updates that are automatically downloaded onto their networks, and that was the delivery system hackers used to breach the security of dozens of Ukrainian organizations.
MEDoc has categorially denied that it was the source of the outage, but multiple security researchers confirmed to VICE News that this was the initial source of the attack. However, it is unclear if MEDoc’s systems were compromised to upload a software update or if the attackers were able to interfere with the update in transit, using what’s known as a man-in-the-middle attack.
Others in Ukraine were also hit when they visited a local news website that had been compromised to download the malware automatically to victims’ computers. According to the latest figures from security company Eset, over 75 percent of infections are located in Ukraine, indicating it was clearly the focus of the attack.
Among the victims of the attack was the Chernobyl nuclear plant, with Ukraine’s exclusion zone agency saying that the radiation monitoring system had been taken offline, forcing employees to use handheld counters to measure levels.
Ukraine’s department of information and communication said Wednesday morning that everything is “under control” and it is working on restoring lost data.
What’s less clear is how or why this ransomware spread beyond Ukraine’s borders, especially since it attacked multiple targets in Russia including the Kremlin-controlled Rosneft, the country’s largest crude producer. Rosneft said it was able to mitigate the attack and get it under control quickly without it causing any damage.
From Russia the malware spread across Europe, with A.P. Moller-Maersk, operator of the world’s largest container line, saying its customers can’t use online booking tools and its internal systems are down.
In the U.K., advertising agency WPP told all employees to turn off their computers and not use Wi-Fi. Global law firm DLA Piper, which recently published an article about how to protect yourself against ransomware attacks, said it “experienced issues with some of its systems due to suspected malware.”
So why were companies across the globe infected by a piece of malware seemingly designed to hit only Ukrainian businesses? Security expert Kevin Beaumont points out, like Stuxnet, it could have all just been a mistake.
Cover: Employees read a ransomware demand for the payment of $300 worth of bitcoin on company computers infected by the ‘Petya’ software virus inside a retail store in Kiev, Ukraine, on Wednesday, June 28, 2017. Vincent Mundy/Bloomberg via Getty Images