NotPetya: From Russian Intelligence, With Love


Level 18
Thread author
Top Poster
Content Creator
Nov 15, 2016
CIA Reportedly Believes Russian Military Launched Wiper Disguised as Ransomware


NotPetya outbreak ground zero: Kiev-based servers hosting M.E. Doc software updates. (Source: Ukrainian police)

A new report says that the CIA has attributed last year's NotPetya malware outbreak to the Russian military.

See Also: Ransomware: The Look at Future Trends

Citing no sources by name, The Washington Post report instead references "classified reports cited by U.S. intelligence officials." It says the CIA concluded last November with "high confidence" that Russia's GRU military intelligence agency was behind NotPetya, aka SortaPetya, Petna, ExPetr, Diskcoder.C, Nyetya and GoldenEye.

The CIA didn't immediately respond to a request for comment about the report.

European intelligence agencies also reportedly attributed NotPetya to the Kremlin, which may have been probing how quickly Ukraine could respond to a cyberattack.

The Ukrainian government was quick to blame Russia for unleashing NotPetya. The Kremlin has denied those accusations.

But the NotPetya attribution squares with numerous private sector assessments. While NotPetya first appeared to be a ransomware outbreak predicated on monetary gain, many researchers, including Dubai-based incident response expert Matthieu Suiche, quickly concluded that NotPetya was instead designed explicitly to cause chaos and delete data, leaving systems unrecoverable. As researchers at Moscow-based security firm Kaspersky Labwrote last June, "it appears it was designed as a wiper pretending to be ransomware."

Ransomwares and hackers are becoming the scapegoats of nation state attackers. Petya is a wiper not a ransomware. Petya.2017 is a wiper not a ransomware – Comae Technologies

— Matthieu Suiche (@msuiche) June 28, 2017
The malware outbreak began on May 27, 2017, via "a very stealthy and cunning backdoor" added to source code of accountancy software called M.E. Doc, an accountancy program widely used in Ukraine, according to Slovakian security firm ESET. Police in Ukraine ultimately raided Kiev-based Intellect Service, which develops the software, seizing its update servers (see Police Seize Backdoored Firm's Servers to Stop Attacks).

Ground zero for NotPetya was Ukraine. But the malware spread to Ukrainian business partners in many other countries, including Russia, Poland, Italy, Germany, Denmark, the United Kingdom and the United States (see Maersk Previews NotPetya Impact: Up to $300 Million).


Detections of NotPetya malware outbreaks - as of 9:00 a.m. PDT on June 28, 2017 - by ESET.
Fake News as a Weapon
Intelligence experts say NotPetya follows in the mold of the Kremlin's previous tactics, which increasingly blend traditional military campaigns with information warfare and cyberattacks, seeming to probe for weak points not just in military and cybersecurity defenses, but also government policy (see No Shock: Russia Confirms 'Cyber War' Efforts).

One favored Kremlin tactic is the so-called 4D campaign - for dismiss, distort, distract and dismay - according to former U.S. Ambassador to Germany John B. Emerson. In a 2015 speech, he warned that the Russian government was becoming more expert at running these types of propaganda campaigns (see The US Presidential Election Hacker Who Wasn't).

"It's a pattern of more bold, aggressive action," says Robert Hannigan, former head of Britain's GCHQ intelligence agency, describing Russia's hybrid warfare tactics to The Washington Post.

Indeed, NotPetya is not an isolated incident. Counting NotPetya, by last summer Ukraine had been hit by four lookalike malware strains, including XData, PSCrypt and a WannaCry lookalike (see Ukraine Power Supplier Hit by WannaCry Lookalike).

Many information security experts believe Russia is using Ukraine as a cyberattack test bed. Many also believe other hacking groups, including Fancy Bear - aka Sofacy, Pawn Storm and APT28, amongst other names - are tied to the GRU (see Fancy Bear Targets US Senate, Security Researchers Warn).

The Shadow Brokers Connection
Meanwhile, there's The Shadow Brokers, a group that first appeared in August 2016 and began leaking multiple attacks built by the Equation Group, which many believe is the U.S. National Security Agency.

Those attacks included EternalBlue, which targets a flaw in server message block, or SMB, version 1 protocol in Windows that Microsoft has patched (see Eternally Blue? Scanner Finds EternalBlue Still Widespread).

After EternalBlue was leaked on April 14, 2017, WannaCry and later NotPetya used the exploit to spread rapidly. While the identity of The Shadow Brokers remains an open question, many believe it's a Russian intelligence operation.

"I've long suspected EternalBlue was burned to take media focus away from Russian hacking and put it on U.S. hacking," Jake Williams, head of cybersecurity consultancy Rendition Infosec, says via Twitter.

Kaspersky Lab Questions
The Russian government may have obtained EternalBlue and other exploits after an NSA employee, 67-year old Nghia Hoang Pho, took home classified information and installed it on his home PC, which was running Kaspersky Lab's anti-virus software as well as a pirated and potentially backdoored copy of Microsoft Office 2013 (see Spy Whose Files Were Plucked by Kaspersky Pleads Guilty).

Multiple U.S. officials, speaking on background, have claimed that the Russian government used Kaspersky Lab's telemetry network and endpoint software to scan for keywords tied to U.S. intelligence operations (see Kaspersky Lab Says It Spotted APT Code, Quickly Deleted It).

Kaspersky Lab, however, has continued to deny any wrongdoing and warned against heeding "unverified opinions" and "unsubstantiated allegations" against it. "We have never helped and will never help any government with its cyber espionage efforts, and we have no ties with Shadow Brokers or any other cyber-threat actor," the company says in a statement.

"We are committed to demonstrating our trustworthiness with our Global Transparency Initiative," it adds (see Kaspersky Opens Up Code to Refute Spying Allegations).

Two separate issues at play here:
1. Was SB Russia (or any other nation state)
2. Did Kaspersky help

It's important to keep these separate and not conflate the two.

— Jake Williams (@MalwareJake) January 15, 2018
Information security experts say it's unlikely that the U.S. government or anyone else who believes that the Russian government used Kaspersky Lab's software to spy on systems would ever release evidence to back up that assertion, since it might expose intelligence-gathering methods. But this failure to produce any hard evidence means that Kaspersky Lab has no opportunity to refute it.

"For political and commercial reasons Kaspersky has been put in the impossible position of trying to prove two negatives: one, that there are no back doors in its code and, two, that it is not an agent of the Russian intelligence community," says information assurance trainer William Hugh Murray. "Those who choose to believe these baseless charges are not going to be convinced by argument or evidence."

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.