#notpetya

Yes, even regarding their occupation of a nuclear plant.

Here are relevant excerpts from the full article I wrote on the topic of malware & industrial control systems some time ago, which you can read in full here. I copy pasted it so if links are weird check the original I am too tired to perfect it for a tumblr upload.

This is an art blog but I have been trying to make people read about these things for eons and it is, unfortunately, more relevant than ever right now.

Cyberattacks say a lot about intentions of the offender. They are not trapped in the cyber world. I think of them as a promise, not a test.

It was December 23rd 2015, and 200,000 Ukrainians were left without electricity for up to six hours. The attack shut off 30 distribution substations located in the Kyiv and western Ivano-Frankivsk region [1][21]. The malware forced manual power restoration since the SCADA equipment was inoperable, elongating the delay. The attack was not especially sophisticated, which makes it especially alarming — breakers were being tripped manually through remote control software. A variation of the BlackEnergy malware was identified as what facilitated the power outage. It too was introduced to the company network through spear-phishing emails.

Then on December 17th 2016, another power outage occurred in Ukraine as the consequence of a cyberattack, six days short of a year after the first. Approximately 225,000 customers were affected [1] though power was restored much faster this time around — within three hours. Only one transmission substation was impacted, located in Kyiv [21].

The most disturbing difference is the 2016 attack demonstrated an escalation in technique — it is believed to have been facilitated by direct SCADA manipulation malware. The malware became known as CRASHOVERRIDE, the first of its kind: crafted to disrupt electrical grids [1].

CRASHOVERRIDE was the fourth piece of malware directed specifically at ICSs. Preceded only by Stuxnet, BlackEnergy-2 and Havex. Havex and BlackEnergy are suspected to be the work of a group known as GRIZZLEY STEPPES, or occasionally Dragonfly/energetic bear. Evidence suggests they are a threat actor group with ties to Russian intelligence and military agencies [1]. Both attacks on Ukrainian power grids have been attributed to Russia [21].

A year later, In the early hours of June 27th 2017, malware not unlike Slammer spread around the world with unprecedented speed. Its crosshair was locked on Ukraine, and it nearly entirely crippled them.

It began with the CEO of Dragos — an ICS cybersecurity firm — tweeting a report indicating that an electric power supplier to Kyiv had been hacked. Maersk announces its IT systems are down not long after, with countless other companies subsequently being incapacitated. Their screens displayed nothing but a ransom note demanding payment to unencrypt the now inaccessible files. Around five hours pass and Kaspersky tweets a statement detailing that the ransomware is not that of any previously identified.

At the time of the Kaspersky report it had infected approximately 2,000 organizations [16]. The ransomware was credited with being the fastest propagating piece of software to date. It took 45 seconds to bring down the network of a large Ukrainian bank. In a major Ukrainian transit hub, it took 16 seconds. The attack cost more than $10 billion in damage [12]. The malware had the appearance of the ransomware Petya, but files were not unencrypted once the ransom was paid — that appearance was a distraction. The malware was a worm designed to cause immeasurable disruption. The malware was named NotPetya.

The list of victims is long and varied; It hit four hospitals in Kyiv, six power companies, two airports and more than twenty two Ukrainian banks. It managed to escape Ukranian networks, hamstringing hospitals in Pennsylvania and a chocolate factory in Tasmania, Australia. It incapacitated multinational companies including a pharmaceutical giant, a European subsidiary of FedEx and the Danish shipping company AP Moller-Maersk. Maersk was responsible for 76 ports all over the world and nearly 800 seafaring vessels. This attack rendered them inoperable — close to a fifth of the entire world’s shipping capacity had been immobilized [12].

Even Chernobyl nuclear power plant operations were impacted; they were forced to switch to manual radiation monitoring since its windows-based sensors had been shut down. ATMs and point-of-sale terminals were infected rendering citizens unable to pay for essential goods or transport if they did not have cash on hand. Even if they did, many vendors were equally as paralysed [12][13].

Digitaalisuus on suuri mahdollisuus yrityksille, mutta sen mukana tulee myös täysin uusia uhkia, joihin yritykset eivät välttämättä ole osanneet varautua juuri lainkaan. Tästä hyvänä esimerkkinä uusin kiristysohjelma NotPetya- ja GoldenEye -nimillä kutsuttu haitake.

Uusimman kiristysohjelman, joka tunnetaan maailmalla nimillä NotPetya ja GoldenEye, uhreiksi ovat jo joutuneet tanskalainen kuljetusfirma Maersk sekä venäläinen öljy-yhtiö Rosneft. Näiden lisäksi ohjelma on haitannut ainakin Tsernobylin ydinvoimalan, Ukrainan keskuspankin ja Boryspilin lentoaseman toimintaa ja järjestelmiä. Näin uutisoi Kauppalehti 28.6.2017.

Haittaohjelma hyödyntää samaa EternalBlue -nimellä kutsuttua hyökkäyskoodia kuin WannaCry. Microsoft paikkasi tietoturva-aukon maaliskuussa, mutta maailmalta löytyy edelleen päivittämättömiä järjestelmiä. Yhtiö kehoittaa varomaan erityisesti sähköpostin välityksellä leviäviä tiedostoja. Haittaohjelma salaa tietokeneen tiedot ja vaatii lunnaiksi 300 dollarin summaa bitcoineina.

“Näinkin laaja kyberhyökkäyksen onnistuminen kertoo siitä, kuinka surullisen heikoissa kantimissa monien yritysten päivitystenhallinta on. Niissä ei ole vieläkään saatu päivitettyä ongelmia, joita hyväksikäytettiin näkyvästi jo kuukausia aiemmin edellisissä hyökkäyksissä” - Teknologiajohtaja Juho Ranta

Miten sitten pitäisi toimia, jos on joutunut kyseisen kyberhyökkäyksen kohteeksi? Verkkopalveluiden tietoturva-aukkoja tutkivan Second Nature Securityn teknologiajohtaja Juho Ranta ohjeistaa seuraavaa:

Minkäänlaisia kiristysmaksuja ei pidä maksaa, koska ei ole mitään takeita siitä, että tiedostoja saisi takaisin

Kaikki käyttöoikeudet verkkolevyissä ja muissa vastaavissa laitteissa tulee vaihtaa, jos verkko on saastunut

Verkkolevyjen tapahtumalogeja tulee seurata saastuneiden laitteiden havaitsemiseksi

Pyri eristämään saastuneet laitteet työaseman verkosta

Muista aina päivittää ohjelmistot säännöllisesti